/*

Script written by VolX

Script   : Aspr2.XX_unpacker

version  : v1.14aE

Date     : 19-May-2008

Test Environment : OllyDbg 1.1, ODBGScript 1.65, WINXP, WIN2000

Debugging options: Tick all items in OllyDbg's Debugging Options-Exceptions

Tools  : OllyDbg, ODBGScript 1.65, Import Reconstructor 

Thanks : Oleh Yuschuk - author of OllyDbg

         SHaG - author of OllyScript

         Epsylon3 - author of ODbgScript

Special Thank : goes to fly, linex, machenglin for their beta testing.

*/

//support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3, 2.4



var tmp1            

var tmp2            

var tmp3            

var tmp4            

var tmp5            

var tmp6            

var tmp7            

var tmp8            

var tmp9

var tmp10            

var imgbase

var imgbasefromdisk

var 1stsecbase

var 1stsecsize

var ressecbase

var signVA

var sizeofimg

var dllimgbase

var count

var transit1

var transit2

var func1

var func2

var func3

var func4

var OEP_rva

var caller

var caller1



//for IAT fixing

var paddr1

var paddr2

var paddr3

var paddr4

var paddr5

var paddr6

var ori1

var ori2

var ori3

var ori4

var ori5

var iatstartaddr

var iatstart_rva

var iatendaddr

var iatsize

var EBXaddr

var ESIaddr

var lastsecbase

var lastsecsize

var thunkdataloc

var thunkpt

var thunkstop

var type3API

var type3count

var type1API

var E8count

var writept2

var APIpoint3

var crcpoint1

var FF15flag

var ESIpara1

var ESIpara2

var ESIpara3

var ESIpara4

var nortype

var DFCequ

var DFCaddr

var REequ

var REaddr

var GPAequ

var GPAaddr

var v1.32

var v2.0x

var newver

var sttablesize



//for stolencode after API

var SCafterAPIcount



//for dll

var reloc_rva

var reloc_size

var isdll

var reloc1

var reloc2

var reloc3

var reloc4

var reloc5

var reloc6

var reloctemp



//for Aspr API

var Aspr1stthunk

var AsprAPIloc

var EmuAddr



//std function

var 55pt

var 55struct1

var 55dataloc

var 55sc



//delphi initialization table

var dataendaddr

var countaddr

var tablea

var tableb

var decryptaddr

var dataloc



//OEP/SDK stolen code

var 57pt

var 57jmppt

var 57struct

var jmptablesize

var scstk

var OEPscaddr

var xtrascloc      //dllimgbase+F00

var dualvc

var sdkscaddr

var sdksccount

var vcrefstart

var vcrefend

var findendaddr

var patchaddr

var patchendaddr

var patchinsamesec

var SDKsize

var newphysec

var newphysecsize

var virtualsec

var newzeroVA

var curzeroVA

var virzeroVA

var newpatchaddr

var newpatchendaddr



//VM

var VMcodeloc

var VMstartaddr

var VMlength



cmp $VERSION, "1.64"

jb odbgver

dbh

BPHWCALL                //clear hardware breakpoint

GMI eip, MODULEBASE     //get imagebase

mov imgbase, $RESULT

//log imgbase

mov tmp1, [imgbase+3C]

add tmp1, imgbase         //tmp1=signature VA

mov signVA, tmp1

mov imgbasefromdisk, [signVA+34]

//log imgbasefromdisk

mov sizeofimg, [signVA+50]

mov tmp2, [signVA+88]

add tmp2, imgbase

mov ressecbase, tmp2

mov 1stsecsize, [signVA+100]

//log 1stsecsize

mov 1stsecbase, [signVA+104]

add 1stsecbase, imgbase

//log 1stsecbase

mov tmp1, signVA

add tmp1, f8             //1st section

mov tmp2, 0

mov tmp2, [signVA+6], 2



last:

cmp tmp2, 1

je lab1

add tmp1, 28

sub tmp2, 1

jmp last



lab1:

mov lastsecsize, [tmp1+8]

//log lastsecsize

mov tmp3, [tmp1+0C]

add tmp3, imgbase

mov lastsecbase, tmp3

//log lastsecbase



//check if its an exe or dll

cmp imgbasefromdisk, imgbase

je lab1_1

mov isdll, 1

jmp lab1_2



lab1_1:

GPI EXEFILENAME

mov tmp1, $RESULT

cmp tmp1, 0

je error

GPI PROCESSNAME

mov tmp2, $RESULT

GPI CURRENTDIR

mov tmp3, $RESULT

eval "{tmp3}{tmp2}.exe"

mov tmp4, $RESULT

eval "{tmp3}{tmp2}.dll"

mov tmp5, $RESULT

scmpi tmp1, tmp4

je lab1_2

scmpi tmp1, tmp5

jne error

mov isdll, 1



lab1_2:

cob

coe

gpa "GetSystemTime", "kernel32.dll"

bp $RESULT

esto

bc $RESULT

rtr

sti

GMEMI eip, MEMORYOWNER

mov dllimgbase, $RESULT

cmp dllimgbase, 0

je error

//log dllimgbase

find dllimgbase, #3135310D0A#

mov tmp1, $RESULT

cmp tmp1, 0

je wrongver

find dllimgbase, #0F318901895104#      //check rdtsc trick

mov tmp1, $RESULT

cmp tmp1, 0

je lab1_5

sub tmp1, 80

find tmp1, #558BEC#

mov tmp1, $RESULT

cmp tmp1, 0

je error

bp tmp1

eob lab1_3

eoe lab1_3

esto



lab1_3:

cmp eip, tmp1

je lab1_4

esto



lab1_4:

bc tmp1

mov eip, [esp]

add esp, 4



lab1_5:

find dllimgbase, #8B5F048B3383C304#  //search "mov ebx,[edi+4]" "mov esi,[ebx]""add ebx,4"

mov tmp2, $RESULT

cmp tmp2, 0

jne lab1_6

find dllimgbase, #8B6F048B750083C504#  //search "mov ebp,[edi+4]" "mov esi,[ebp]""add ebp,4"

mov tmp2, $RESULT

cmp tmp2, 0

jne lab1_6

find dllimgbase, #8B6?0?8B?50083C504#  //search "mov ebp,[e??+0?]" "mov e??,[ebp]""add ebp,4"

mov tmp2, $RESULT

cmp tmp2, 0

je error



lab1_6:

find dllimgbase, #3138310D0A#

cmp $RESULT, 0

je lab1_7

sub tmp2, 600

jmp lab1_8



lab1_7:

sub tmp2, 200



lab1_8:

find tmp2,  #8BF08973??#     //search "mov esi, eax", "mov [ebx+??], esi"

mov tmp3, $RESULT

cmp tmp3, 0

je error

mov 57pt, tmp3

find 57pt, #3130370D0A#

mov tmp5, $RESULT

cmp tmp5, 0

je error

sub tmp5, 57pt

cmp tmp5, 0A0

ja error



lab2:

//log 57pt

mov tmp1, dllimgbase

add tmp1, 010e00

find tmp1, #892D????????3b6C24??#

mov tmp2, $RESULT

cmp tmp2, 0

je error45

find tmp2, #833C240074??#

mov tmp4, $RESULT

cmp tmp4, 0

je error45

add tmp4, 4

find tmp1, #8B5483408BC6#      //search "mov edx,[ebx+eax*4+40]" "mov eax,esi"

mov tmp2, $RESULT              //vcpoint

cmp tmp2, 0

je error

find tmp2, #807B740074??#       //search "cmp [ebx+74],0" "je xxxxxxxx"

mov tmp3, $RESULT

cmp tmp3, 0

je lab2_1

mov dualvc, 1



lab2_1:

bp tmp4

eob lab3

eoe lab3

esto



lab3:

cmp eip, tmp4

je lab4

esto



lab4:

bc tmp4

mov tmp1, eip

sub tmp1, 1000

find tmp1, #F3A566A5#  //search "rep movs[edi],[esi]","movs [edi],[esi]"

mov tmp1, $RESULT

cmp tmp1, 0

je error

find tmp1, #0F84??000000#

mov thunkstop, $RESULT

//log thunkstop

bp thunkstop

find dllimgbase, #45894500#   //search "inc ebp", "mov [ebp],eax"

mov tmp2, $RESULT

cmp tmp2, 0

je error

sub tmp2, 27

mov APIpoint3, tmp2

//log APIpoint3

find dllimgbase, #40890383C704#

mov tmp1, $RESULT

add tmp1, 1

mov thunkpt, tmp1

//log thunkpt

cmp isdll, 1

jne lab7_1

mov !zf, 1

mov tmp1, eip

mov tmp2, [tmp1+2], 2

cmp tmp2, 5C03             //chk if "add ebx, [esp+4]"

je lab5

cmp tmp2, 5C8B             //chk if "mov ebx, [esp+4]"

jne error

mov reloc_rva, esi

mov tmp1, esi

jmp lab6



lab5:

mov reloc_rva, ebx

mov tmp1, ebx



lab6:

add tmp1, imgbase

call ChkRelocSize



lab7:

mov reloc_size, tmp2



lab7_1:

bp thunkpt

find dllimgbase, #33C08A433?3BF0#   //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"

mov paddr1, $RESULT

cmp paddr1, 0

je error

add paddr1, 7

//log paddr1

mov tmp2, [paddr1-3], 1

cmp tmp2, 3F

jne lab8

mov v1.32, 1



lab8:

mov thunkdataloc, dllimgbase

add thunkdataloc, 200          //dllimgbase+200

find dllimgbase, #0036300D0A#

mov tmp1, $RESULT

cmp tmp1, 0

je error

find tmp1, #68????????68????????68????????68????????#

mov tmp1, $RESULT

add tmp1, 14

mov tmp3, [tmp1], 2

cmp tmp3, 35FF

je lab11

mov crcpoint1, tmp1

//log crcpoint1

bp crcpoint1

eob lab9

eoe lab9

esto



lab9:

cmp eip, crcpoint1

je lab10

esto



lab10:

eob

eoe

bc crcpoint1

bc thunkpt

bc thunkstop

rtr

sti

bp thunkpt

bp thunkstop



lab11:

eob lab12

eoe lab12

esto



lab12:

cmp eip, thunkpt

je lab13

cmp eip, thunkstop

je lab18

esto



lab13:

bc thunkpt

mov ESIaddr, esi

//log ESIaddr

mov ori1, [paddr1]

mov ori2, [paddr1+4]

mov tmp1, [signVA+30]

add tmp1, imgbase

find tmp1, #426F726C616E6420432B2B202D#   //Search "Borland C++ -"

mov tmp2, $RESULT

cmp tmp2, 0

jne lab13_1

find tmp1, #436F64654765617220432B2B202D#   //Search "CodeGear C++ -"

mov tmp2, $RESULT

cmp tmp2, 0

je lab13_2



lab13_1:

mov tmp1, [ebx]

add tmp1, imgbase

GMEMI tmp1, MEMORYBASE

mov tmp2, $RESULT

cmp tmp2, 0

je error

GMEMI tmp1, MEMORYSIZE

mov tmp3, $RESULT

cmp tmp3, 0

je error

fill tmp2, tmp3, 00



lab13_2:

find eip, #3A5E3?7517#

mov tmp1, $RESULT

cmp tmp1, 0

je error

mov ESIpara1, [tmp1]

//log ESIpara1

add tmp1, 6

find tmp1, #3A5E3?7517#

mov tmp2, $RESULT

cmp tmp2, 0

je error

mov ESIpara2, [tmp2]

//log ESIpara2

add tmp2, 6

find tmp2, #3A5E3?75??#

mov tmp1, $RESULT

cmp tmp1, 0

je error

mov ESIpara3, [tmp1]

//log ESIpara3

add tmp1, 6



//chk version is with AsprAPI ?

find dllimgbase, #3138300D0A#

mov tmp2, $RESULT

cmp tmp2, 0

je lab13_3

find tmp1, #8A07E8#

mov tmp2, $RESULT

cmp tmp2, 0

je error

add tmp2, 3

mov tmp6, [tmp2]

add tmp6, tmp2

add tmp6, 5



lab13_3:

find tmp1, #473A5E3?#

mov tmp2, $RESULT

cmp tmp2, 0

je error

add tmp2, 1

mov tmp3, [tmp2], 3

add tmp3, 74000000

mov ESIpara4, tmp3

//log ESIpara4

find eip, #834424080447EB1A#  //search "add [esp+8],4", "inc edi"

mov tmp1, $RESULT

cmp tmp1, 0

je lab13_4

mov nortype, 1

//log nortype



//checking iatendaddr

lab13_4:

mov tmp7, eip         //save eip

mov tmp1, dllimgbase

mov [tmp1], #609CBE740E8C00BD000F8600C74500000286008B4D008B0305000000018901834500048BFB83C70A83C1048939834500#

add tmp1, 30   //30

mov [tmp1], #0433C0B9FFFFFFFFF2AE8A1F3A5E34744B3A5E37750883C707FF45FCEBEC3A5E38750883C705FF45FCEBDF3A5E3A751C#

add tmp1, 30  //60

mov [tmp1], #508D47F58B0089452058C78560F1FFFFEB12909083C704FF45FCEBBE83C703668B0783C00203F8FF45FCEBAE807D0401#

add tmp1, 30  //90

mov [tmp1], #7469478BDF833B000F8575FFFFFFC6450401C7450800026304C745FC000000008B45088B0089450C8945148B45088B40#

add tmp1, 30  //C0

mov [tmp1], #04894510834508088B45088B0083F80074213B450C720E89450C8B5D088B5B04895D10EB083B45147703894514834508# 

add tmp1, 30  //F0

mov [tmp1], #08EBD58B7D10E936FFFFFFB8000263048B0883F90074113B4D147407C741FC0000000083C008EBE89D61909000000000#

mov tmp1, dllimgbase

mov tmp2, dllimgbase

add tmp2, 0F00          //dllimgbase+F00

add tmp1, 3     //3

mov [tmp1], ESIaddr

add tmp1, 5     //8

mov [tmp1], tmp2

add tmp1, 7     //F

mov [tmp1], thunkdataloc

add tmp1, A    //19

mov [tmp1], imgbase

add tmp1, 23    //3C

mov [tmp1], ESIpara4

add tmp1, 5     //41

mov [tmp1], ESIpara1

add tmp1, D     //4E

mov [tmp1], ESIpara2

add tmp1, D     //5B

mov [tmp1], ESIpara3

add tmp1, 4A    //A5

mov [tmp1], thunkdataloc

add tmp1, 57    //FC

mov [tmp1], thunkdataloc

cmp nortype, 1

je lab14

mov tmp1, dllimgbase

add tmp1, 74       //74

mov [tmp1], #83C705FF#



lab14:

cob

coe

mov tmp4, dllimgbase

add tmp4, 11A      //end point

bp tmp4

mov eip, dllimgbase

run

bc tmp4

mov eip, tmp7       //restore eip

mov tmp1, dllimgbase

add tmp1, 0EFC

mov tmp2, [tmp1]     //API count of last dll

mov tmp3, [tmp1+10]  //last thunk addr

shl tmp2, 2

add tmp3, tmp2

mov iatendaddr, tmp3

//log iatendaddr

mov iatstartaddr, [tmp1+18]

//log iatstartaddr

mov iatstart_rva, iatstartaddr

sub iatstart_rva, imgbase

mov [iatendaddr], 0

mov tmp2, iatendaddr

sub tmp2, iatstartaddr

add tmp2, 4

mov iatsize, tmp2



find dllimgbase, #3138300D0A#

cmp $RESULT, 0

je lab14_1

find tmp6, #BA01000000B9#

mov tmp2, $RESULT

cmp tmp2, 0

je error

add tmp2, 6

mov AsprAPIloc, [tmp2]

log AsprAPIloc

mov tmp2, [tmp1+24]

cmp tmp2, 0

je lab14_1

add tmp2, imgbase

mov Aspr1stthunk, tmp2

log Aspr1stthunk 



lab14_1:

fill dllimgbase, f30, 00



//force to decrypt all api

mov tmp1, dllimgbase

cmp v1.32, 1

je lab15

mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#

jmp lab16



lab15:

mov [tmp1], #570FB67B393BF775040FB6733A5F3BF00F8500000000E900000000#



lab16:

add tmp1, 10

mov tmp2, paddr1

add tmp2, 60

eval "jnz 0{tmp2}" 

asm tmp1, $RESULT

add tmp1, 6

mov tmp2, paddr1

add tmp2, 5

eval "jmp 0{tmp2}"

asm tmp1, $RESULT

eval "jmp {dllimgbase}"

asm paddr1, $RESULT

find paddr1, #3B432?74656AFF#  //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"  

mov paddr2, $RESULT

cmp paddr2, 0

je lab17

add paddr2, 3

//log paddr2

mov ori3, [paddr2]

mov [paddr2], #EB#



lab17:

find paddr1, #3B432?741b6AFF#  //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"

mov paddr3, $RESULT

cmp paddr3, 0

je error

add paddr3, 3

//log paddr3

mov ori4, [paddr3]

mov [paddr3], #EB#

find paddr1, #8902B8????????#

mov paddr4,  $RESULT

cmp paddr4, 0

je error

add paddr4, 2

//log paddr4

gpa "DllFunctionCall", "MSVBVM60.dll"

mov tmp2, $RESULT

cmp tmp2, 0

je lab17_1

GMEMI tmp2, MEMORYOWNER

mov tmp3, $RESULT

cmp tmp3, 0

jne lab17_4



lab17_1:

gpa "DllFunctionCall", "MSVBVM50.dll"

mov tmp2, $RESULT

cmp tmp2, 0

je lab17_5

GMEMI tmp2, MEMORYOWNER

mov tmp3, $RESULT

cmp tmp3, 0

je lab17_5



//Add more VB version if needed.....



lab17_4:

mov DFCaddr, tmp2

mov DFCequ, [paddr4+1]

mov tmp1, dllimgbase

add tmp1, 20           //dllimgbase+20

eval "jmp 0{tmp1}"

asm paddr4, $RESULT

mov [tmp1], #B8#

add tmp1, 1            //dllimgbase+21

mov [tmp1], tmp2 

mov tmp3, paddr4

add tmp3, 5

add tmp1, 4            //dllimgbase+25

eval "jmp 0{tmp3}"

asm tmp1, $RESULT



lab17_5:

mov count, 0           //counter

find paddr4, #C21000#

mov tmp1,  $RESULT

cmp tmp1, 0

je error

mov tmp2, paddr4



loop2:

find tmp2, #Eb01??B8????????#

mov paddr5,  $RESULT

cmp paddr5, 0

je loop2_1

cmp paddr5, tmp1

ja loop2_1

add count, 1

mov tmp2, paddr5

add tmp2, 8

jmp loop2



//end

loop2_1:

//log count

cmp count, 2

je lab17_6

cmp count, 0

je lab17_10

cmp count, 1

jne error

mov tmp4, paddr4

jmp lab17_7



lab17_6:

find paddr4, #Eb01??B8????????#

mov paddr5,  $RESULT

cmp paddr5, 0

je error

add paddr5, 3

//log paddr5

mov tmp4, paddr5

gpa "RaiseException", "kernel32.dll"

mov tmp2, $RESULT

cmp tmp2, 0

je lab17_7

GMEMI tmp2, MEMORYOWNER

mov tmp3, $RESULT

cmp tmp3, 0

je lab17_7

mov REaddr, tmp2

mov REequ, [paddr5+1]

mov tmp1, dllimgbase

add tmp1, 30           //dllimgbase+30

eval "jmp 0{tmp1}"

asm paddr5, $RESULT

mov [tmp1], #B8#

add tmp1, 1            //dllimgbase+31

mov [tmp1], tmp2 

mov tmp3, paddr5

add tmp3, 5

add tmp1, 4            //dllimgbase+35

eval "jmp 0{tmp3}"

asm tmp1, $RESULT



lab17_7:

find tmp4, #Eb01??B8????????#

mov paddr6,  $RESULT

cmp paddr6, 0

je error

add paddr6, 3

//log paddr6

mov tmp1, [paddr6+1]

mov tmp2, 0

mov tmp2, [tmp1], 1

cmp tmp2, 0E8

jne lab17_8

mov tmp2, [tmp1+5], 2

cmp tmp2, 0E0FF

jne lab17_10

gpa "RaiseException", "kernel32.dll"

mov tmp2, $RESULT

cmp tmp2, 0

je lab17_10

GMEMI tmp2, MEMORYOWNER

mov tmp3, $RESULT

cmp tmp3, 0

je lab17_10

mov REaddr, tmp2

mov REequ, [paddr6+1]

cmp count, 1

jne lab17_9

mov paddr5, paddr6

jmp lab17_9



lab17_8:

mov tmp2, [tmp1+5], 1

cmp tmp2, 0C

jne lab17_10

mov tmp2, [tmp1+8], 1

cmp tmp2, 08

jne lab17_10

gpa "GetProcAddress", "kernel32.dll"

mov tmp2, $RESULT

cmp tmp2, 0

je lab17_10

GMEMI tmp2, MEMORYOWNER

mov tmp3, $RESULT

cmp tmp3, 0

je lab17_10

mov GPAaddr, tmp2

mov GPAequ, [paddr6+1]



lab17_9:

mov tmp1, dllimgbase

add tmp1, 40           //dllimgbase+40

eval "jmp 0{tmp1}"

asm paddr6, $RESULT

mov [tmp1], #B8#

add tmp1, 1            //dllimgbase+41

mov [tmp1], tmp2 

mov tmp3, paddr6

add tmp3, 5

add tmp1, 4            //dllimgbase+45

eval "jmp 0{tmp3}"

asm tmp1, $RESULT



lab17_10:

mov count, 0

eob lab12

eoe lab12

esto



lab18:

bc thunkstop

bphwc thunkpt

mov [paddr1], ori1

mov [paddr1+4], ori2

cmp DFCequ, 0

je lab18_1

mov [paddr4], #B8#

mov [paddr4+1], DFCequ



lab18_1:

cmp REequ, 0

je lab18_2

mov [paddr5], #B8#

mov [paddr5+1], REequ



lab18_2:

cmp GPAequ, 0

je lab18_3

mov [paddr6], #B8#

mov [paddr6+1], GPAequ



lab18_3:

cmp paddr2, 0

je lab19

mov [paddr2], ori3



lab19:

mov [paddr3], ori4

fill dllimgbase, 60, 00



find dllimgbase, #8B432C2BC583E805#

mov tmp1, $RESULT

cmp tmp1, 0

je error

add tmp1, 8

mov writept2, tmp1

//log writept2

bphws writept2, "x"

find eip, #C700D4000000#  //Search dword ptr [eax], 0D4"

mov 55pt, $RESULT

cmp 55pt, 0

add 55pt, 8

jne lab19_2

find eip, #C600D485#    //Search "mov byte ptr [eax], 0D4"

mov 55pt, $RESULT

cmp 55pt, 0

je lab19_1

add 55pt, 5

jmp lab19_2



lab19_1:

find eip, #C600D4837D??00#    //Search "mov byte ptr [eax], 0D4", "cmp [ebp-8], 0"

mov 55pt, $RESULT

cmp 55pt, 0

je error

add 55pt, 7



lab19_2:

//log 55pt

bp 55pt

BPHWS APIpoint3, "x"

eoe lab20

eob lab20

esto



lab20:

cmp eip, APIpoint3

je lab21

cmp eip, writept2

je lab23

cmp eip, 55pt

je lab25

esto



lab21:

mov type3API, 1

cmp EBXaddr, 0

jne lab22

mov EBXaddr, ebx

//log EBXaddr

mov tmp1, [EBXaddr+4A], 1

mov FF15flag, tmp1

//log FF15flag



lab22:

bphwc APIpoint3

eob lab22_1

eoe lab22_1

esto



lab22_1:

cmp eip, writept2

je lab23

cmp eip, 55pt

je lab25

esto



lab23:

bphwc writept2

cmp EBXaddr, 0

jne lab24

mov EBXaddr, ebx

//log EBXaddr

mov tmp1, [EBXaddr+4A], 1

mov FF15flag, tmp1

//log FF15flag



lab24:

mov type1API, 1

//log type1API

eob lab24_1

eoe lab24_1

esto



lab24_1:

cmp eip, APIpoint3

je lab21

cmp eip, 55pt

je lab25

esto



lab25:

bphwc APIpoint3

bphwc writept2

bc 55pt

cmp !zf, 0

jne lab27_1

sti

sti

sti

sti

mov tmp1, eax

mov tmp2, [tmp1]

//log tmp2, "55 struct = "

cmp tmp2, 0

je lab25_1

cmp tmp2, 1

je lab25_2

msg "Unknown 55 struct"

//pause



//old

lab25_1:

mov tmp2, eax

mov tmp6, [tmp2+4]   //data size

add tmp6, tmp2

sub tmp6, 8          //ending address of data

add tmp2, 8

jmp lab25_3



//new

lab25_2:

mov 55struct1, 1

mov tmp2, eax

mov tmp6, [tmp2+6]   //data size

add tmp6, tmp2

sub tmp6, 8          //ending address of data

add tmp2, 0C



lab25_3:

alloc 1000

mov 55dataloc, $RESULT

mov tmp3, 55dataloc



loop3:

cmp tmp2, tmp6

jae lab26

mov tmp4, [tmp2]

add tmp4, imgbase

mov [tmp3], tmp4

add tmp2, 4

mov tmp5, [tmp2]

add tmp2, tmp5

add tmp2, 4

add tmp3, 4

add count, 1

cmp 55struct1, 1

je loop3_1

jmp loop3



loop3_1:

add tmp2, 2

jmp loop3



lab26:

coe

cob

rtr

//log count

cmp count, 1

je onefunc

cmp count, 2

je twofunc

cmp count, 5

je fivefunc

cmp count, 6

je sixfunc

cmp count, 7

je sevenfunc



lab26_1:

sti

mov 55sc, 1

jmp lab27_1



onefunc:

log "1 standard functions"

mov tmp1, 55dataloc

mov tmp2, [tmp1]

mov [tmp2], #6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3#

jmp lab27



twofunc:

mov tmp1, 55dataloc

mov tmp2, [tmp1]

mov tmp3, [tmp1]

sub tmp3, A

mov tmp4, [tmp3]

cmp tmp4, A6F3D189

je twofunc_1

sub tmp3, 1

mov tmp4, [tmp3]

cmp tmp4, A6F3D189

jne lab26_1



twofunc_1:

log "2 standard functions"

mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#

add tmp2, 30

mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#

add tmp1, 4

mov tmp2, [tmp1]

mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#

jmp lab27



fivefunc:

log "5 standard functions"

jmp lab26_1



sixfunc:

log "6 standard functions"

mov tmp1, 55dataloc

mov tmp2, [tmp1]

mov tmp3, [tmp1]

sub tmp3, 30

find tmp3, #0FB646FF0FB657FF#

mov tmp4, $RESULT

cmp tmp4, 0

je lab26_1

//log tmp4

cmp tmp4, tmp2

ja lab26_1

mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#

add tmp2, 30

mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#

add tmp1, 4    //2nd

mov tmp2, [tmp1]

mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3# 

add tmp1, 4   //3rd

mov tmp2, [tmp1]

mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#

add tmp1, 4   //4th

mov tmp2, [tmp1]

mov [tmp2], #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#

add tmp1, 4   //5th

mov tmp2, [tmp1]

mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#

add tmp1, 4   //6th

mov tmp2, [tmp1]

mov [tmp2], #568BF08BD0AC08C074123C614172F680F87A77F180E8208846FFEBE9925EC3#

jmp lab27



sevenfunc:

log "7 standard functions"

mov tmp1, 55dataloc

mov tmp2, [tmp1]

mov tmp3, [tmp1]

sub tmp3, B

mov tmp4, [tmp3]

cmp tmp4, A6F3D189

jne lab26_1

mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#

add tmp2, 30

mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#

add tmp1, 4    //2nd

mov tmp2, [tmp1]

mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3# 

add tmp1, 4   //3rd

mov tmp2, [tmp1]

mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#

add tmp1, 4   //4th

mov tmp2, [tmp1]

mov [tmp2], #565789D689C789CA39F77711742BC1E902F3A589D183E103F3A45F5EC38D740EFF8D7C0FFF83E103FDF3A483EE0383EF#

add tmp2, 30

mov [tmp2], #0389D1C1E902F3A5FC5F5EC3#

add tmp1, 4   //5th

mov tmp2, [tmp1]

mov [tmp2], #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#

add tmp1, 4   //6th

mov tmp2, [tmp1]

mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#

add tmp1, 4   //7th

mov tmp2, [tmp1]

mov [tmp2], #57565309C0744409D2744089C389D730C0B9FFFFFFFFF2AEF7D149742E89CE89DFB9FFFFFFFFF2AEF7D129F1761D89DF#

add tmp2, 30

mov [tmp2], #8D5EFF89D6ACF2AE751189C85789D9F3A65F89C175ED8D47FFEB0231C05B5E5FC3#



lab27:

sti



lab27_1:

cob

coe

find dllimgbase, #0036300D0A#

mov tmp6, $RESULT

cmp tmp6, 0

je error

mov tmp3, tmp6

sub tmp3, 90

find tmp3, #C600??#

mov tmp2, $RESULT

cmp tmp2, 0

je lab27_2

cmp tmp2, tmp6

jb lab27_3



lab27_2:

find tmp3, #C700D?000000#

mov tmp2, $RESULT

cmp tmp2, 0

je error

cmp tmp2, tmp6

ja error



lab27_3:

find tmp2, #74??#

mov tmp4, $RESULT

cmp tmp4, 0

je error

cmp tmp4, tmp6

ja error

mov transit1, tmp4

//log transit1



find eip, #C700D5000000#

mov tmp3, $RESULT

cmp tmp3, 0

add tmp3, 8

jne lab27_4

find eip, #C600D5#

mov tmp1, $RESULT

cmp tmp1, 0

je error

find tmp1, #74??#

mov tmp3, $RESULT

cmp tmp3, 0

je error



lab27_4:

eob lab27_5

eoe lab27_5

bp tmp3

esto



lab27_5:

cmp eip, tmp3

je lab27_6

esto



lab27_6:

bc tmp3

cmp !zf, 0

jne lab28

//Collect SDK stolen code

find dllimgbase, #C603E98D5301#

mov 57jmppt, $RESULT

cmp 57jmppt, 0

je error

bp 57jmppt

mov xtrascloc, dllimgbase

add xtrascloc, 0F00          //dllimgbase+F00

//log xtrascloc

//log 57pt

bp 57pt

mov tmp4, xtrascloc

mov tmp5, dllimgbase

add tmp5, 300         //dllimgbase+300

mov tmp9, dllimgbase

add tmp9, 500         //dllimgbase+500

mov tmp8, dllimgbase

mov tmp7, 0            //counter



lab28:

bp transit1

eob lab28_1

eoe lab28_1

esto



lab28_1:

cmp eip, 57pt

je lab29

cmp eip, 57jmppt

je lab30

cmp eip, transit1

je lab31

esto



//Get total SDK sections and collect address of scstk

lab29:

cmp sdksccount, 0

jne lab29_9

find eip, #8BE55DC2??00#

mov tmp1, $RESULT

cmp tmp1, 0

je error

mov tmp2, [tmp1+4], 1

cmp tmp2, 08

jne lab29_1

mov sdksccount, [ebp-0c]

log sdksccount, "Total SDK stolen code sections = "

mov tmp1, [esp]

GMEMI tmp1, MEMORYBASE

mov tmp10, $RESULT

jmp lab29_2



lab29_1:

cmp tmp2, 0c

jne error

mov sdksccount, [ebp-10]

log sdksccount, "SDK stolen code sections = "

mov tmp1, [esp+4]

GMEMI tmp1, MEMORYBASE

mov tmp10, $RESULT



lab29_2:

cmp tmp7, 0

jne lab29_9

mov tmp1, [tmp10+4], 2

cmp tmp1, 0

je lab29_6

cmp tmp1, 1

jne lab29_3

add tmp10, 0E

jmp lab29_4



//Aspr 2.3 Build6.26

lab29_3:

mov tmp1, [tmp10+4]

mov tmp2, [tmp10+0E]

cmp tmp1, tmp2

jne error             //unknown aspr version

mov tmp1, [tmp10+8], 2

cmp tmp1, 1

jne error             //unknown aspr version

mov tmp2, [tmp10+12], 2

cmp tmp1, tmp2

jne error             //unknown aspr version

add tmp10, 12



lab29_4:

mov tmp1, [tmp10], 2

cmp tmp1, 01

jne lab29_9

mov tmp2, [tmp10+6]

cmp tmp2, 0

je lab29_9

mov tmp1, [tmp10+2]

cmp tmp1, 0

je lab29_9

add tmp1, imgbase

mov [tmp8], tmp1

add tmp8, 4

add tmp10, tmp2

add tmp10, 0A

cmp tmp2, 1000

ja lab29_5

add SDKsize, 1000

jmp lab29_4



lab29_5:

and tmp2, FFFFF000

add tmp2, 1000

add SDKsize, tmp2

jmp lab29_4



lab29_6:

add tmp10, 0C



lab29_7:

mov tmp2, [tmp10+4]

cmp tmp2, 0

je lab29_9

mov tmp1, [tmp10]

cmp tmp1, 0

je lab29_9

add tmp1, imgbase

mov [tmp8], tmp1

add tmp8, 4

add tmp10, tmp2

add tmp10, 08

cmp tmp2, 1000

ja lab29_8

add SDKsize, 1000

jmp lab29_7



lab29_8:

and tmp2, FFFFF000

add tmp2, 1000

add SDKsize, tmp2

jmp lab29_7



lab29_9:

mov [tmp4], eax

add tmp7, 1           //counter

mov tmp1, [ebx]

add tmp1, imgbase

mov [tmp5], tmp1

add tmp4, 4

add tmp5, 4

eob lab28_1

eoe lab28_1

esto



lab30:

mov tmp1, dllimgbase

add tmp1, 500         //dllimgbase+500

mov tmp2, [tmp1]

cmp tmp2, 0

jne lab30_3

//Decide the structure of jmp table and dump it

mov tmp2, edi

mov jmptablesize, 0

mov tmp1, [edi], 2

cmp tmp1, 1

je lab30_2

mov tmp1, [edi]

mov tmp3, [edi+8]

cmp tmp1, tmp3

jne lab30_1

mov 57struct, "57A"

jmp lab30_3



lab30_1:

mov 57struct, "57C"

jmp lab30_3



lab30_2:

mov 57struct, "57B"



//copy data

lab30_3:

scmp 57struct, "57A"

je lab30_4

scmp 57struct, "57B"

je lab30_6

scmp 57struct, "57C"

je lab30_8

jmp error



lab30_4:

bc 57jmppt

cob

coe

mov tmp1, dllimgbase

add tmp1, 100

mov [tmp1], #609C8BF7BF0005C0008B06394608750F8B4E04890F83C60883C704F2A4EBEA893D400122019D61909090#

mov tmp1, dllimgbase

add tmp1, 100

add tmp1, 5     //105

mov tmp2, dllimgbase

add tmp2, 500

mov [tmp1], tmp2

add tmp1, 1C    //121

mov tmp2, dllimgbase

add tmp2, 140

mov [tmp1], tmp2

add tmp1, 6     //127--end point

bp tmp1

mov ori1, eip

mov tmp2, dllimgbase

add tmp2, 100

mov eip, tmp2

run

cmp eip, tmp1

jne error

bc tmp1

mov tmp2, [dllimgbase+140]

mov tmp3, dllimgbase

add tmp3, 500

sub tmp2, tmp3

mov jmptablesize, tmp2

mov eip, ori1

mov tmp2, dllimgbase

add tmp2, 100

fill tmp2, 44, 00

jmp lab30_12



lab30_6:

bc 57jmppt

cob

coe

mov tmp1, dllimgbase

add tmp1, 100

mov [tmp1], #609C8BF7BF0005C9008B460283F800741439460A750F8B4E06890F83C60A83C704F2A4EBE4893D4001C9009D61909000#

mov tmp1, dllimgbase

add tmp1, 100

add tmp1, 5     //105

mov tmp2, dllimgbase

add tmp2, 500

mov [tmp1], tmp2

add tmp1, 22    //127

mov tmp2, dllimgbase

add tmp2, 140

mov [tmp1], tmp2

add tmp1, 6    //12D--end point

bp tmp1

mov ori1, eip

mov tmp2, dllimgbase

add tmp2, 100

mov eip, tmp2

run

cmp eip, tmp1

jne error

bc tmp1

mov tmp2, [dllimgbase+140]

mov tmp3, dllimgbase

add tmp3, 500

sub tmp2, tmp3

mov jmptablesize, tmp2

mov eip, ori1

mov tmp2, dllimgbase

add tmp2, 100

fill tmp2, 44, 00

jmp lab30_12



lab30_8:

mov tmp2, [edi]

add tmp2, imgbase

cmp tmp2, ebx

jne lab30_12

mov ori1, edi

find ori1, #0000000000000000#

mov tmp3, $RESULT

cmp tmp3, 0

je error

sub tmp3, ori1

mov tmp2, tmp3

shr tmp2, 2

shl tmp2, 2

cmp tmp3, tmp2

je lab30_9

shr tmp3, 2

add tmp3, 1

shl tmp3, 2



lab30_9:

add jmptablesize, tmp3   //bytes to copy

add jmptablesize, 0C

mov tmp2, tmp3

add tmp2, 8

mov [tmp9], tmp2

add tmp9, 4



lab30_10:

cmp tmp3, 0

je lab30_11

mov tmp1, [ori1]

mov [tmp9], tmp1

add ori1, 4

add tmp9, 4

sub tmp3, 4

jmp lab30_10



lab30_11:

add tmp9, 8       //add 8 bytes for differentiation



lab30_12:

eob lab28_1

eoe lab28_1

esto



lab31:

cmp sdksccount, 0        

je lab32

//log SDKsize

//log jmptablesize

mov tmp1, dllimgbase

add tmp1, 500

dm tmp1, jmptablesize, "jmptable.bin"

cmp sdksccount, tmp7        //tmp7=number of section with scstk

je lab31_1

log tmp7, "SDK section with scstk = "

mov tmp1, dllimgbase        //Location of full set address

mov tmp2, tmp1

add tmp2, 300               //Location of section with scstk

mov tmp9, xtrascloc         //store SDK section without scstk

add tmp9, 80 



//find out which SDK section need dumping

loop4:

mov tmp3, [tmp1]

cmp tmp3, 0

je lab31_1            //compare finished



loop4_1:

mov tmp4, [tmp2]

cmp tmp4, 0

je loop4_2            //not found

cmp tmp3, tmp4

je loop4_3            //jmp if found

add tmp2, 4

jmp loop4_1



//section need to be dump manually found

loop4_2:

mov tmp6, [tmp1]

mov tmp5, [tmp6+1]

add tmp5, tmp6

add tmp5, 5

log tmp5, "SDK stolen code section address = "

mov [tmp9], tmp6             //store SDK section without scstk

add tmp9, 4

mov [tmp9], tmp5

add tmp9, 4 

add tmp1, 4

mov tmp2, dllimgbase

add tmp2, 300                 //Location of section with scstk

jmp loop4



loop4_3:

add tmp1, 4

mov tmp2, dllimgbase

add tmp2, 300                 //Location of section with scstk

jmp loop4



//end compare

lab31_1:

fill dllimgbase, B00, 00



lab32:

bc 57pt

bc 57jmppt

bc transit1

cmp !zf, 0

jne lab41

sti

sti

sti

mov countaddr, [eax]

add countaddr, imgbase

log countaddr, "Delphi initialization table address "

find dllimgbase, #55FFD784C07504#

mov tmp1, $RESULT

cmp tmp1, 0

je error

find tmp1, #837D0?0075E5#

mov tmp3, $RESULT

cmp tmp3, 0

je error

sub tmp3, 2

mov tmp2, dllimgbase

bp tmp3

mov tmp4, 0          //counter

eob lab32_1

eoe lab32_1

esto



lab32_1:

cmp eip, tmp3

je lab32_2

esto



lab32_2:

mov [tmp2], edx

cmp tmp4, 2

je lab32_3

add tmp2, 4

add tmp4, 1

esto



lab32_3:

bc tmp3

cob

coe

rtr

sti

rtr

sti

rtr

mov tablea, [dllimgbase]

mov tableb, [dllimgbase+4]

mov decryptaddr, [dllimgbase+8]

fill dllimgbase, 10, 00

alloc 4000

mov dataloc, $RESULT

//log dataloc



find decryptaddr, #81??????????0F84????00005?5?#

mov tmp1, $RESULT

cmp tmp1, 0

je error

add tmp1, 0C

mov paddr1, tmp1

//log paddr1

mov ori1, [paddr1]

mov ori2, [paddr1+4]

//log ori1

//log ori2

find paddr1, #E8????0000#

mov tmp1, $RESULT

cmp tmp1, 0

je error

mov tmp9, tmp1

mov tmp2, [tmp1+1]

add tmp2, tmp1

add tmp2, 5

find tmp2, #3B??0F82??FFFFFF#

mov tmp3, $RESULT

cmp tmp3, 0

je error

mov paddr2, tmp3

//log paddr2

mov tmp2, [tmp3+4]

add tmp2, tmp3

add tmp2, 8

mov tmp1, [tmp2], 1

cmp tmp1, 2B

je lab32_4

find tmp2, #2B??#

mov tmp1, $RESULT

cmp tmp1, 0

je error

cmp paddr2, tmp1

jb error

opcode tmp1

mov tmp5, $RESULT_2

add tmp5, tmp1

jmp lab32_9



lab32_4:

opcode tmp2

mov tmp5, $RESULT_2

add tmp5, tmp2



lab32_9:

mov ori3, [paddr2]

mov tmp1, dllimgbase

mov [tmp1], #609CB800004000B900104000BA00204000BB00304000BD00404000BE00504000BF00604000E80001300090909D619090#

mov tmp1, dllimgbase

mov tmp6, imgbase

add tmp1, 3      //3

mov [tmp1], tmp6

add tmp6, 1000

add tmp1, 5      //8

mov [tmp1], tmp6

add tmp6, 1000

add tmp1, 5      //D

mov [tmp1], tmp6

add tmp6, 1000

add tmp1, 5      //12

mov [tmp1], tmp6

add tmp6, 2000

add tmp1, 5      //17   

mov [tmp1], tmp6

add tmp6, 1000

add tmp1, 5      //1C

mov [tmp1], tmp6

add tmp6, 1000

add tmp1, 5      //21

mov [tmp1], tmp6

add tmp1, 4      //25

eval "call 0{tmp5}"

asm tmp1, $RESULT

mov [paddr2], #C390#

mov tmp7, eip

mov tmp6, esp

mov eip, dllimgbase

bp paddr2

eob lab33

eoe lab33

run



lab33:

cmp eip, paddr2

je lab33_1

jmp error



lab33_1:

bc paddr2

mov tmp1, tmp6

sub tmp1, 28

mov esp, tmp1

sti

mov tmp1, imgbase

cmp eax, tmp1

je ecxchk

mov tmp8, eax

sub tmp8, tmp1

cmp tmp8, 10

jbe lab34



ecxchk:

add tmp1, 1000

cmp ecx, tmp1

je edxchk

mov tmp8, ecx

sub tmp8, tmp1

cmp tmp8, 10

jbe lab34



edxchk:

add tmp1, 1000

cmp edx, tmp1

je ebxchk

mov tmp8, edx

sub tmp8, tmp1

cmp tmp8, 10

jbe lab34



ebxchk:

add tmp1, 1000

cmp ebx, tmp1

je ebpchk

mov tmp8, ebx

sub tmp8, tmp1

cmp tmp8, 10

jbe lab34



ebpchk:

add tmp1, 2000

cmp ebp, tmp1

je esichk

mov tmp8, ebp

sub tmp8, tmp1

cmp tmp8, 10

jbe lab34



esichk:

add tmp1, 1000

cmp esi, tmp1

je edichk

mov tmp8, esi

sub tmp8, tmp1

cmp tmp8, 10

jbe lab34



edichk:

add tmp1, 1000

cmp edi, tmp1

je edxchk

mov tmp8, edi

sub tmp8, tmp1

cmp tmp8, 10

jbe lab34

jmp error



lab34:

cob

coe

mov tmp1, dllimgbase

add tmp1, 2e

bp tmp1

run

cmp eip, tmp1

jne error

bc tmp1

mov eip, tmp7

mov [paddr2], ori3         //restore code

fill dllimgbase, 50, 00



mov tmp7, eip

mov tmp1, dllimgbase

mov [tmp1], #609CB90000FD01BA00001602BD00001802BE0000170233C08B3983FF00743281FF72E9EFB9741F8BDE03322B312B0390#

add tmp1, 30      //30

mov [tmp1], #909090909090909090909090903BDE72EC03C789450083C50883C10883C208EBC0833DA000BA0001741BB90400FD01BA#

add tmp1, 30      //60

mov [tmp1], #04001602BD04001802C705A000BA0001000000EB9C9D61909000000000000000#



mov tmp1, dllimgbase

add tmp1, 3     //3

mov [tmp1], tablea

add tmp1, 5     //8

mov [tmp1], tableb

add tmp1, 5     //D

mov [tmp1], dataloc

add tmp1, 5     //12

mov [tmp1], decryptaddr

find tablea, #0000000000000000#

mov tmp2, $RESULT

cmp tmp2, 0

je error

mov dataendaddr, tmp2

sub tmp2, 8

mov tmp3, [tmp2]      //data limit

add tmp1, 0F    //21

mov [tmp1], tmp3

add tmp1, 10    //31

eval "add ebx, 0{tmp8}"

asm tmp1, $RESULT

mov tmp3, dllimgbase

add tmp3, A0

add tmp1, 22    //53

mov [tmp1], tmp3

add tmp1, 8    //5B

mov tmp2, tablea

add tmp2, 4

mov [tmp1], tmp2

add tmp1, 5     //60

mov tmp2, tableb

add tmp2, 4

mov [tmp1], tmp2

add tmp1, 5     //65

mov tmp2, dataloc

add tmp2, 4

mov [tmp1], tmp2

add tmp1, 6     //6B

mov [tmp1], tmp3

mov tmp5, dllimgbase

add tmp5, 77    //end point

mov eip, dllimgbase

bp tmp5

eob lab34_1

eoe lab34_1

esto



lab34_1:

cmp eip, tmp5

je lab34_2

esto



lab34_2:

bc tmp5

mov eip, tmp7

fill dllimgbase, 100, 00



find paddr2, #5?5?5?E9??F?FFFF#

mov tmp1, $RESULT

cmp tmp1, 0

je error

mov paddr3, tmp1

//log paddr3



find paddr1, #FFD0#     //"call eax" ?

mov paddr4, $RESULT

cmp paddr4, 0

je tryecx

cmp paddr4, paddr2

jb iscalleax



tryecx:

find paddr1, #FFD1#     //"call ecx" ?

mov paddr4, $RESULT

cmp paddr4, 0

je tryedx

cmp paddr4, paddr2

jb iscallecx



tryedx:

find paddr1, #FFD2#     //"call edx" ?

mov paddr4, $RESULT

cmp paddr4, 0

je tryebx

cmp paddr4, paddr2

jb iscalledx



tryebx:

find paddr1, #FFD3#     //"call ebx" ?

mov paddr4, $RESULT

cmp paddr4, 0

je tryesp

cmp paddr4, paddr2

jb iscallebx



tryesp:

find paddr1, #FFD4#     //"call esp" ?

mov paddr4, $RESULT

cmp paddr4, 0

je tryebp

cmp paddr4, paddr2

jb iscallesp



tryebp:

find paddr1, #FFD5#     //"call ebp" ?

mov paddr4, $RESULT

cmp paddr4, 0

je tryesi

cmp paddr4, paddr2

jb iscallebp



tryesi:

find paddr1, #FFD6#     //"call esi" ?

mov paddr4, $RESULT

cmp paddr4, 0

je tryedi

cmp paddr4, paddr2

jb iscallesi



tryedi:

find paddr1, #FFD7#     //"call edi" ?

mov paddr4, $RESULT

cmp paddr4, 0

je hexfind2

cmp paddr4, paddr2

jb iscalledi



hexfind2:

log tmp9

mov tmp1, [tmp9+1]

add tmp1, tmp9

sub tmp1, 50

mov tmp4, 50



loop5:

cmp tmp4, 0

je error

mov tmp2, [tmp1]

and tmp2, f0ff

cmp tmp2, 0000D0ff

je hexfound2

sub tmp4, 1

add tmp1, 1

jmp loop5



hexfound2:

mov paddr4, tmp1

//log paddr4

mov tmp2, [paddr4+1]

and tmp2, 0f

cmp tmp2, 0

je iscalleax

cmp tmp2, 1

je iscallecx

cmp tmp2, 2

je iscalledx

cmp tmp2, 3

je iscallebx

cmp tmp2, 4

je iscallesp

cmp tmp2, 5

je iscallebp

cmp tmp2, 6

je iscallesi

cmp tmp2, 7

je iscalledi

jmp error



iscalleax:

mov caller1, "eax"

jmp lab35



iscallecx:

mov caller1, "ecx"

jmp lab35



iscalledx:

mov caller1, "edx"

jmp lab35



iscallebx:

mov caller1, "ebx"

jmp lab35



iscallesp:

mov caller1, "esp"

jmp lab35



iscallebp:

mov caller1, "ebp"

jmp lab35



iscallesi:

mov caller1, "esi"

jmp lab35



iscalledi:

mov caller1, "edi"



lab35:

//log paddr4

mov paddr5, paddr1

sub paddr5, 4

mov ori6, [paddr5]

mov tmp1, dllimgbase

mov tmp2, dllimgbase

add tmp2, 100     //dllimgbase+100

mov [tmp2], dataloc

mov tmp3, tmp2

add tmp3, 4       //dllimgbase+104

mov tmp5, dataloc

add tmp5, 2008

mov [tmp3], tmp5

mov tmp4, dllimgbase

add tmp4, 7A      //dllimgbase+7A

mov [tmp1], #609C68000040006800001602680000FD01E8EAFF5C01832D0401BA0004C6057A00BA002DC605D800BA002DC7050001BA#

add tmp1, 30    //30

mov [tmp1], #000400180268000040006804001602680400FD01E8B2FF5C01EB5590000000008B050001BA008B00909083050001BA00#

add tmp1, 30    //60

mov [tmp1], #0890E92C015D01000000000000009090538B1D0401BA00890383050401BA00085B909090909090909090909090909090#

add tmp1, 30    //90

mov [tmp1], #00000000000000000000000000000000BE00201802BFD8214D00B92E010000F2A5B8D8214D00C70096000000C74004E0# 

add tmp1, 30    //C0

mov [tmp1], #214D009D61909000000000000000009083050001BA000883050401BA0008E9B8005D0100000000000000000000000000# 



mov tmp1, dllimgbase

add tmp1, 3

mov [tmp1], imgbase

add tmp1, 5     //8

mov [tmp1], tableb

add tmp1, 5    //0D

mov [tmp1], tablea

add tmp1, 4    //11

eval "call 0{decryptaddr}"

asm tmp1, $RESULT

add tmp1, 7    //18

mov [tmp1], tmp3

add tmp1, 7    //1F

mov [tmp1], tmp4     //tmp4=dllimgbase+7A

add tmp1, 7    //26

add tmp4, 5E         //tmp4=dllimgbase+D8

mov [tmp1], tmp4

add tmp1, 7    //2D

mov [tmp1], tmp2

add tmp1, 4    //31

mov tmp5, dataloc

add tmp5, 4

mov [tmp1], tmp5

add tmp1, 5    //36

mov [tmp1], imgbase

add tmp1, 5    //3B

mov tmp5, tableb

add tmp5, 4   

mov [tmp1], tmp5

add tmp1, 5    //40

mov tmp5, tablea

add tmp5, 4

mov [tmp1], tmp5

add tmp1, 4    //44

eval "call 0{decryptaddr}"

asm tmp1, $RESULT

add tmp1, 0E   //52

mov [tmp1], tmp2

add tmp1, A    //5C

mov [tmp1], tmp2

add tmp1, 5    //61

eval "jmp 0{paddr3}"

asm tmp1, $RESULT

add tmp1, 12   //73

mov [tmp1], tmp3

add tmp1, 8    //7B

mov [tmp1], tmp3

mov tmp5, dllimgbase

add tmp5, 50

eval "jmp 0{tmp5}"

asm paddr1, $RESULT

mov tmp1, dllimgbase

add tmp1, 50   //50

scmpi caller1, "eax"

je lab35_1

scmpi caller1, "ecx"

je writeecx

scmpi caller1, "edx"

je writeedx

scmpi caller1, "ebx"

je writeebx

scmpi caller1, "esp"

je writeesp

scmpi caller1, "ebp"

je writeebp

scmpi caller1, "esi"

je writeesi

scmpi caller1, "edi"

je writeedi

jmp error



writeecx:

mov [tmp1], #8B0D#

add tmp1, 6      //56

asm tmp1, "mov ecx, [ecx]"

add tmp1, 21     //77

mov [tmp1], #890B#

jmp lab35_1



writeedx:

mov [tmp1], #8B15#

add tmp1, 6       //56

asm tmp1, "mov edx, [edx]"

add tmp1, 21     //77

mov [tmp1], #8913#

jmp lab35_1



writeebx:

mov [tmp1], #8B1D#

add tmp1, 6       //56

asm tmp1, "mov ebx, [ebx]"

add tmp1, 1A     //70

asm tmp1, "push eax"

add tmp1, 1      //71

mov [tmp1], #8B05#

add tmp1, 6      //77

mov [tmp1], #8918#

add tmp1, 9      //80

asm tmp1, "pop eax"

jmp lab35_1



writeesp:

mov [tmp1], #8B25#

add tmp1, 6       //56

asm tmp1, "mov esp, [esp]"

add tmp1, 21     //77

mov [tmp1], #8923#

jmp lab35_1



writeebp:

mov [tmp1], #8B2D#

add tmp1, 6       //56

mov [tmp1], #8B6D0090#

add tmp1, 21     //77

mov [tmp1], #892B#

jmp lab35_1



writeesi:

mov [tmp1], #8B35#

add tmp1, 6       //56

asm tmp1, "mov esi, [esi]"

add tmp1, 21     //77

mov [tmp1], #8933#

jmp lab35_1



writeedi:

mov [tmp1], #8B3D#

add tmp1, 6        //56

asm tmp1, "mov edi, [edi]"

add tmp1, 21     //77

mov [tmp1], #893B#



lab35_1:

mov tmp1, dllimgbase

add tmp1, 83    //83

mov ori3, [paddr4]

mov ori4, [paddr4+4]

mov ori5, [paddr4+8]

mov tmp5, paddr4

add tmp5, 2

opcode tmp5

mov tmp4, $RESULT_2  //length of 1st cmd after call reg

cmp tmp4, 3

jae lab35_14

cmp tmp4, 1

je lab35_3



//length of 1st cmd = 2

mov tmp6, [tmp5], 2  

cmp tmp6, 1EB

je lab35_2

cmp tmp6, 2EB

jne lab35_4



lab35_2:

mov tmp3, [tmp5+1], 1

add tmp4, tmp3

add tmp4, tmp5

eval "jmp 0{tmp4}"

asm tmp1, $RESULT

jmp lab36_1



//length of 1st cmd = 1

lab35_3:

mov tmp3, [tmp5]    

and tmp3, 00F0FFF0       

cmp tmp3, 0EBF0     //"prefix ??", "jmp ???????"

jne lab35_4

mov tmp3, [tmp5+2], 1

add tmp3, tmp5

add tmp3, tmp4

add tmp3, 2

eval "jmp 0{tmp3}"

asm tmp1, $RESULT

jmp lab36_1



//2nd cmd after call reg

lab35_4:

mov tmp6, tmp5

add tmp6, tmp4

opcode tmp6

mov tmp8, $RESULT_2  //length of 2nd cmd after call reg

mov tmp2, tmp4

add tmp4, tmp8       

cmp tmp8, 2

je lab35_5

cmp tmp8, 3

je lab35_7

cmp tmp4, 3

jae copybyte

jmp lab35_9



//length of 2nd cmd = 2

lab35_5:

mov tmp3, [tmp6], 2  

cmp tmp3, 1EB

je lab35_6

cmp tmp3, 2EB

je lab35_6

cmp tmp4, 3

jae copybyte

jmp lab35_9



lab35_6:

opcode tmp5

mov tmp3, $RESULT_1

eval "{tmp3}"

asm tmp1, $RESULT

add tmp1, tmp8

mov tmp3, 0              //For Odbgscript compatibility

mov tmp3, [tmp6+1], 1

add tmp2, tmp3

add tmp2, tmp8

add tmp2, tmp5

eval "jmp 0{tmp2}"

asm tmp1, $RESULT

jmp lab36_1



//length of 2nd cmd = 3

lab35_7:

mov tmp3, [tmp6+1], 2  

cmp tmp3, 1EB

je lab35_8

cmp tmp3, 2EB

je lab35_8

cmp tmp4, 3

jae copybyte

jmp lab35_9



lab35_8:

opcode tmp5

mov tmp3, $RESULT_1

eval "{tmp3}"

asm tmp1, $RESULT

add tmp1, tmp8

mov tmp3, 0              //For Odbgscript compatibility

mov tmp3, [tmp6+2], 1

add tmp2, tmp3

add tmp2, tmp8

add tmp2, tmp5

eval "jmp 0{tmp2}"

asm tmp1, $RESULT

jmp lab36_1



//3rd cmd after call reg

lab35_9:

mov tmp7, tmp6

add tmp7, tmp8

opcode tmp7

mov tmp9, $RESULT_2     //length of 3rd cmd after call reg

add tmp4, tmp9

cmp tmp9, 2

je lab35_10

cmp tmp9, 3

je lab35_12

jmp copybyte



//length of 3rd cmd = 2

lab35_10:

mov tmp3, [tmp7], 2  

cmp tmp3, 1EB

je lab35_11

cmp tmp3, 2EB

je lab35_11

jmp copybyte



lab35_11:

mov tmp3, [tmp5], 2

mov [tmp1], tmp3

add tmp1, 2

mov tmp3, [tmp7+1], 1

add tmp2, tmp3

add tmp2, tmp8

add tmp2, tmp9

add tmp2, tmp5

eval "jmp 0{tmp2}"

asm tmp1, $RESULT

jmp lab36_1



//length of 3rd cmd = 3

lab35_12:

mov tmp3, [tmp7+1], 2  

cmp tmp3, 1EB

je lab35_13

cmp tmp3, 2EB

je lab35_13

jmp copybyte



lab35_13:

mov tmp3, [tmp5], 2

mov [tmp1], tmp3

add tmp1, 2

mov tmp3, [tmp7+2], 1

add tmp2, tmp3

add tmp2, tmp8

add tmp2, tmp9

add tmp2, tmp5

eval "jmp 0{tmp2}"

asm tmp1, $RESULT

jmp lab36_1



//one command to copy

lab35_14:

cmp tmp4, 3

jne copybyte

//length of 1st cmd = 3

mov tmp3, [tmp5+1]

and tmp3, 0F0FF       

cmp tmp3, EB

je lab35_15

jmp copybyte



lab35_15:

mov tmp3, [tmp5+2], 1

add tmp3, tmp5

add tmp3, tmp4

eval "jmp 0{tmp3}"

asm tmp1, $RESULT

jmp lab36_1



copybyte:

mov tmp6, tmp5    //paddr4+2

mov tmp7, tmp1    //patch addr in dllimgbase

mov tmp3, tmp4    //ttl bytes to copy

shr tmp3, 2

mov tmp2, tmp3

shl tmp2, 2

cmp tmp4, tmp2

je copybyte_1

add tmp3, 1



copybyte_1:

cmp tmp3, 0

je lab36

mov tmp2, [tmp6]

mov [tmp7], tmp2

sub tmp3, 1

add tmp6, 4

add tmp7, 4

jmp copybyte_1



lab36:

add tmp1, tmp4

add tmp5, tmp4

eval "jmp 0{tmp5}"

asm tmp1, $RESULT



lab36_1:

mov tmp1, dllimgbase

add tmp1, 70

eval "jmp 0{tmp1}"

asm paddr4, $RESULT



//

mov tmp1, dllimgbase

add tmp1, D2

mov tmp2, dllimgbase

add tmp2, 100

mov [tmp1], tmp2

add tmp1, 7       //D9

add tmp2, 4

mov [tmp1], tmp2

add tmp1, 5       //DE

mov tmp2, paddr5

sub tmp2, 2

mov tmp3, tmp2

add tmp2, ori6

add tmp2, 6

eval "jmp 0{tmp2}"

asm tmp1, $RESULT

mov tmp1, dllimgbase

add tmp1, D0

eval "jz 0{tmp1}"

asm tmp3, $RESULT



//for move data

mov tmp1, dllimgbase

add tmp1, 0A1         //A1

mov tmp2, dataloc

add tmp2, 2000

mov [tmp1], tmp2

add tmp1, 5           //A6

mov [tmp1], countaddr

add tmp1, 5           //AB

mov tmp2, dataendaddr

sub tmp2, tablea

add tmp2, 8

shr tmp2, 2

mov [tmp1], tmp2

add tmp1, 7           //B2

mov [tmp1], countaddr

add tmp1, 6           //B8

mov tmp2, dataendaddr

sub tmp2, tablea

shr tmp2, 3

mov [tmp1], tmp2

add tmp1, 7           //BF

mov tmp2, countaddr

add tmp2, 8

mov [tmp1], tmp2

mov tmp7, eip

mov eip, dllimgbase

mov tmp1, dllimgbase

add tmp1, C5          //end point

bp tmp1

eob lab36_2

eoe lab36_2

esto



lab36_2:

cmp eip, tmp1

je lab36_3

esto



lab36_3:

bc tmp1



//Restore original code

mov tmp2, paddr1

mov [tmp2], ori1

add tmp2, 4

mov [tmp2], ori2

mov tmp2, paddr4

mov [tmp2], ori3

add tmp2, 4

mov [tmp2], ori4

add tmp2, 4

mov [tmp2], ori5

mov [paddr5], ori6

mov caller1, "nil"



mov eip, tmp7

//msg "Delphi initialization table moved"

fill dllimgbase, 110, 00

jmp lab41_1



lab41:

cob

coe

rtr



lab41_1:

cmp type3API, 0

je lab46



//fix type3 API

mov tmp4, APIpoint3

sub tmp4, 100

find tmp4, #05FF000000508BC3#

mov tmp1, $RESULT

cmp tmp1, 0

je error

add tmp1, 8

//log tmp1

opcode tmp1

mov func1, $RESULT_1

//log func1

add tmp1, 5

find tmp1, #8BC3E8??#

mov tmp2, $RESULT

cmp tmp2, 0

je error

add tmp2, 2

opcode tmp2

mov func2, $RESULT_1

//log func2

add tmp2, 5

find tmp2, #8BC3E8??#

mov tmp1, $RESULT

cmp tmp1, 0

je error

add tmp1, 2

opcode tmp1

mov func3, $RESULT_1

//log func3

mov tmp3, [tmp1-D], 1

cmp tmp3, 50

je lab42

mov v1.32, 1

//log v1.32



lab42:

mov tmp1, dllimgbase

mov [tmp1], #60BB6806CA00BD000DC4008B73548D7B408B43188945608B83E000000089453433C08A078D04408B4C83688BC6FFD18B#

add tmp1, 30     //30

mov [tmp1], #C8034B24038BE000000033C08A47098D04408B5483688BC6FFD2807B20000F854C0100003C010F8544010000894D7033#

add tmp1, 30     //60

mov [tmp1], #C08A47078D04408B5483688BC6FFD289452433C08A47088D04408B5483688BC6FFD289452833C08A47028D04408B5483#

add tmp1, 30     //90

mov [tmp1], #688BC6FFD289453C33C08A47068D04408B5483688BC6FFD28845408B83E000000001453C8B453C5033C08A454005FF00#

add tmp1, 30     //C0

mov [tmp1], #0000508BC3E85A6A03008BC88B53108BC3E8725803008B552403553403D08955248B55282B55342BD089552833C08A47#

add tmp1, 30     //F0

mov [tmp1], #038D04408B5483688BC6FFD28945348B83E000000001453433C08A47018D04408B5483688BC6FFD28845388D452C5066#

add tmp1, 30     //120

mov [tmp1], #8B4D24668B55288BC3E8126503008B552C0393E0000000909090909060E82E00000066B9FF153E8A4538363A434A7405#

add tmp1, 30    //150

mov [tmp1], #6681C100108B457066890883C002893061EB3A00000000000000000000000090BEE02150003916740D83C60481FE3C2A#

add tmp1, 30    //180

mov [tmp1], #0210770FEBEF81EE0000400081C600004000C390900000000000000000FF4568FF4D6003B3E4000000837D60000F876D#

add tmp1, 30    //1B0

mov [tmp1], #FEFFFF6190#

mov tmp1, dllimgbase

mov tmp2, dllimgbase

add tmp2, 0D00        //dllimgbase+D00

mov tmp3, dllimgbase

add tmp3, 0D68        //Dllimgbase+D68

add tmp1, 2           //2

mov [tmp1], EBXaddr

add tmp1, 5           //7

mov [tmp1], tmp2

add tmp1, BE          //C5

eval "{func1}"

asm tmp1, $RESULT

add tmp1, 0C          //D1

eval "{func2}"

asm tmp1, $RESULT

add tmp1, 58          //129

eval "{func3}"

asm tmp1, $RESULT

add tmp1, 48          //171

mov [tmp1], iatstartaddr

add tmp1, D           //17E

mov [tmp1], iatendaddr

add tmp1, A           //188

mov [tmp1], imgbase

add tmp1, 6           //18E

mov [tmp1], imgbasefromdisk

add tmp1, 5           //193   error point   

mov tmp5, tmp1

bp tmp5

add tmp1, 21          //1B4   end point

mov tmp6, tmp1

bp tmp6

mov tmp7, eip         //store eip

cmp v1.32, 1

jne lab43

mov tmp1, dllimgbase

add tmp1, 11B         //dllimgbase+11B

mov [tmp1], #90909090#

add tmp1, 13          //dllimgbase+12E

mov [tmp1], #8BD090909090909090#



lab43:

mov eip, dllimgbase

eob lab44

eoe lab44

run



lab44:

cmp eip, tmp5      //error

je lab60

cmp eip, tmp6      //OK

je lab45

jmp error



lab45:

bc tmp5

bc tmp6

//msg "fix type3 API OK!"

//pause

mov type3count, [tmp3]

//log type3count

fill dllimgbase, 0E00, 00

mov eip, tmp7           //restore eip



lab46:

cmp AsprAPIloc, 0

je lab52

cmp Aspr1stthunk, 0     //VB app ?

je lab52

mov count, 120         //Need free space 120 bytes for 2.xx

call FindEMUAddr

//call EmulateAsprAPI



//$$$ fix Asprotect API $$$

lab46_1:

//chk number of API

mov tmp5, 0           //counter

mov tmp6, Aspr1stthunk

mov tmp1, AsprAPIloc

add tmp1, 4

mov caller, "lab46_1"



lab46_2:

mov tmp2, [tmp1]

GMEMI tmp2, MEMORYOWNER

mov tmp3, $RESULT

cmp tmp3, dllimgbase

jne lab46_3

add tmp5, 1

add tmp1, 4

jmp lab46_2



lab46_3:

log tmp5, "Total API in this Asprotect = "



//Emulate Aspr API

lab47:

mov tmp10, 0

cmp tmp5, 0B

je loop8

cmp tmp5, 0C

je loop9

cmp tmp5, 0D

je loop10

msg "unknown Asprotect API"

jmp error



//Asprotect 2.3 build01.14

loop8:

mov tmp7, AsprAPIloc

scmp caller, "lab84"

je loop8_2

mov tmp1, [tmp6]

GMEMI tmp1, MEMORYOWNER

mov tmp2, $RESULT

cmp tmp2, dllimgbase

jne lab48

mov tmp8, 0    //reset counter



loop8_1:

cmp tmp8, tmp5       //compare all the API in AsprAPIloc?

ja error

mov tmp2, [tmp7]     //AsprAPIloc

cmp tmp1, tmp2

je loop8_3

add tmp7, 4

add tmp8, 1

jmp loop8_1 



loop8_2:

mov tmp1, [tmp6]

cmp tmp1, 0

je lab48

mov tmp8, [tmp6+4]



//0-GetRegistrationKeys,1-GetRegistrationInformation,2-CheckKey,3-CheckKeyAndDecrypt

//4-GetKeyDate,5-GetKeyExpirationDate,6-GetTrialDays,7-GetTrialExecs

//8-GetExpirationDate,9-GetModeInformation,A-GetHardwareID,B-SetUserKey

loop8_3:

cmp tmp8, 1

je B_GRI

cmp tmp8, 2

je B_CK

cmp tmp8, 3

je B_CKAD

cmp tmp8, 4

je B_GKD

cmp tmp8, 5

je B_GKED

cmp tmp8, 6

je B_GTD

cmp tmp8, 7

je B_GTE

cmp tmp8, 8

je B_GED

cmp tmp8, 9

je B_GMI

cmp tmp8, 0A

je B_GHI

msg "This API is not emulated"

//pause

scmp caller, "lab84"

je loop8_4

add tmp6, 4

jmp loop8



loop8_4:

add tmp6, 8

jmp loop8



//GetRegistrationInformation

B_GRI:

mov tmp3, EmuAddr

mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#

add tmp3, 6

mov tmp4, EmuAddr

add tmp4, 20

mov [tmp4], #313131313232323233333333#           //111122223333

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

cmp isdll, 1

jne B_GRI_1

mov tmp9, EmuAddr

add tmp9, 6

call DLLASPRAPI



B_GRI_1:

add tmp3, 0A

mov tmp4, EmuAddr

add tmp4, 30

cmp isdll, 1

jne B_GRI_2

mov tmp9, EmuAddr

add tmp9, 10

call DLLASPRAPI



B_GRI_2:

mov [tmp4], #04000000566F6C58#

add tmp4, 4

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

log EmuAddr, "GetRegistrationInformation  "

scmp caller, "lab84"

je B_GRI_3

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 40

add tmp6, 4

jmp loop8



B_GRI_3:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 40

add tmp6, 8

jmp loop8



//CheckKey

B_CK:

mov tmp3, EmuAddr

mov [tmp3], #B801000000C20C00#

log EmuAddr, "CheckKey  "

scmp caller, "lab84"

je B_CK_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 10

add tmp6, 4

jmp loop8



B_CK_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 10

add tmp6, 8

jmp loop8



//CheckKeyAndDecrypt

B_CKAD:

mov tmp3, EmuAddr

mov [tmp3], #B801000000C20C00#

log EmuAddr, "CheckKeyAndDecrypt  "

scmp caller, "lab84"

je B_CKAD_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 10

add tmp6, 4

jmp loop8



B_CKAD_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 10

add tmp6, 8

jmp loop8



//GetKeyDate

B_GKD:

mov tmp3, EmuAddr

mov [tmp3], #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C21000#

log EmuAddr, "GetKeyDate  "

scmp caller, "lab84"

je B_GKD_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 30

add tmp6, 4

jmp loop8



B_GKD_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 30

add tmp6, 8

jmp loop8



//GetKeyExpirationDate

B_GKED:

mov tmp3, EmuAddr

mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#

log EmuAddr, "GetKeyExpirationDate  "

scmp caller, "lab84"

je B_GKED_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 30

add tmp6, 4

jmp loop8



B_GKED_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 30

add tmp6, 8

jmp loop8



//GetTrialDays

B_GTD:

mov tmp3, EmuAddr

mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#

log EmuAddr, "GetTrialDays  "

scmp caller, "lab84"

je B_GTD_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 20

add tmp6, 4

jmp loop8



B_GTD_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 20

add tmp6, 8

jmp loop8



//GetTrialExecs

B_GTE:

mov tmp3, EmuAddr

mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#

log EmuAddr, "GetTrialExecs  "

scmp caller, "lab84"

je B_GTE_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 20

add tmp6, 4

jmp loop8



B_GTE_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 20

add tmp6, 8

jmp loop8



//GetExpirationDate

B_GED:

mov tmp3, EmuAddr

mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#

log EmuAddr, "GetExpirationDate  "

scmp caller, "lab84"

je B_GED_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 30

add tmp6, 4

jmp loop8



B_GED_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 30

add tmp6, 8

jmp loop8



//GetModeInformation

B_GMI:

mov tmp3, EmuAddr

mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#

add tmp3, 6

mov tmp4, EmuAddr

add tmp4, 20

mov [tmp4], #53697465204C6963656E7365#           //Site license

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

cmp isdll, 1

jne B_GMI_1

mov tmp9, EmuAddr

add tmp9, 6

call DLLASPRAPI



B_GMI_1:

add tmp3, 0A

mov tmp4, EmuAddr

add tmp4, 30

mov [tmp4], #030000000#

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

cmp isdll, 1

jne B_GMI_2

mov tmp9, EmuAddr

add tmp9, 10

call DLLASPRAPI



B_GMI_2:

log EmuAddr, "GetModeInformation  "

scmp caller, "lab84"

je B_GMI_3

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 40

add tmp6, 4

jmp loop8



B_GMI_3:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 40

add tmp6, 8

jmp loop8



//GetHardwareID

B_GHI:

mov tmp3, EmuAddr

mov [tmp3], #B890909000C3#

add tmp3, 1

mov tmp4, EmuAddr

add tmp4, 10

mov [tmp4], #31323334353637382D34343434#

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

log EmuAddr, "GetHardwareID  "

cmp isdll, 1

jne B_GHI_1

mov tmp9, EmuAddr

add tmp9, 1

call DLLASPRAPI



B_GHI_1:

scmp caller, "lab84"

je B_GHI_2

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 20

add tmp6, 4

jmp loop8



B_GHI_2:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 20

add tmp6, 8

jmp loop8



//Asprotect v2.11

loop9:

mov tmp7, AsprAPIloc

scmp caller, "lab84"

je loop9_2

mov tmp1, [tmp6]

GMEMI tmp1, MEMORYOWNER

mov tmp2, $RESULT

cmp tmp2, dllimgbase

jne lab48

mov tmp8, 0    //reset counter



loop9_1:

cmp tmp8, tmp5       //compare all the API in AsprAPIloc?

ja error

mov tmp2, [tmp7]     //AsprAPIloc

cmp tmp1, tmp2

je loop9_3

add tmp7, 4

add tmp8, 1

jmp loop9_1 



loop9_2:

//log tmp6

mov tmp1, [tmp6]

cmp tmp1, 0

je lab48

mov tmp8, [tmp6+4]



//0-GetRegistrationKeys,1-GetRegistrationInformation,2-SaveKey,3-CheckKey

//4-CheckKeyAndDecrypt,5-GetKeyDate,6-GetKeyExpirationDate,7-GetTrialDays

//8-GetTrialExecs,9-GetExpirationDate,A-GetModeInformation,B-GetHardwareID

//C-SetUserKey

loop9_3:

cmp tmp8, 1

je C_GRI

cmp tmp8, 3

je C_CK

cmp tmp8, 4

je C_CKAD

cmp tmp8, 5

je C_GKD

cmp tmp8, 6

je C_GKED

cmp tmp8, 7

je C_GTD

cmp tmp8, 8

je C_GTE

cmp tmp8, 9

je C_GED

cmp tmp8, 0A

je C_GMI

cmp tmp8, 0B

je C_GHI

msg "This API is not emulated"

//pause

scmp caller, "lab84"

je loop9_4

add tmp6, 4

jmp loop9



loop9_4:

add tmp6, 8

jmp loop9



//GetRegistrationInformation

C_GRI:

mov tmp3, EmuAddr

mov [tmp3], #8B442404C700909090008B442408C70090909000B801000000C20800#

add tmp3, 6

mov tmp4, EmuAddr

add tmp4, 20

mov [tmp4], #313131313232323233333333#           //111122223333

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

cmp isdll, 1

jne C_GRI_1

mov tmp9, EmuAddr

add tmp9, 6

call DLLASPRAPI



C_GRI_1:

add tmp3, 0A

mov tmp4, EmuAddr

add tmp4, 30

cmp isdll, 1

jne C_GRI_2

mov tmp9, EmuAddr

add tmp9, 10

call DLLASPRAPI



C_GRI_2:

mov [tmp4], #04000000566F6C58#

add tmp4, 4

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

log EmuAddr, "GetRegistrationInformation  "

scmp caller, "lab84"

je C_GRI_3

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 40

add tmp6, 4

jmp loop9



C_GRI_3:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 40

add tmp6, 8

jmp loop9



//CheckKey

C_CK:

mov tmp3, EmuAddr

mov [tmp3], #B801000000C20800#

log EmuAddr, "CheckKey  "

scmp caller, "lab84"

je C_CK_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 10

add tmp6, 4

jmp loop9



C_CK_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 10

add tmp6, 8

jmp loop9



//CheckKeyAndDecrypt

C_CKAD:

mov tmp3, EmuAddr

mov [tmp3], #B801000000C20C00#

log EmuAddr, "CheckKeyAndDecrypt  "

scmp caller, "lab84"

je C_CKAD_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 10

add tmp6, 4

jmp loop9



C_CKAD_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 10

add tmp6, 8

jmp loop9



//GetKeyDate

C_GKD:

mov tmp3, EmuAddr

mov [tmp3], #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C20C00#

log EmuAddr, "GetKeyDate  "

scmp caller, "lab84"

je C_GKD_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 30

add tmp6, 4

jmp loop9



C_GKD_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 30

add tmp6, 8

jmp loop9



//GetKeyExpirationDate

C_GKED:

mov tmp3, EmuAddr

mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C20C00#

log EmuAddr, "GetKeyExpirationDate  "

scmp caller, "lab84"

je C_GKED_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 30

add tmp6, 4

jmp loop9



C_GKED_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 30

add tmp6, 8

jmp loop9



//GetTrialDays

C_GTD:

mov tmp3, EmuAddr

mov [tmp3], #8B442404C7001E0000008B442408C7001E000000B801000000C20800#

log EmuAddr, "GetTrialDays  "

scmp caller, "lab84"

je C_GTD_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 20

add tmp6, 4

jmp loop9



C_GTD_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 20

add tmp6, 8

jmp loop9



//GetTrialExecs

C_GTE:

mov tmp3, EmuAddr

mov [tmp3], #8B442404C7001E0000008B442408C7001E000000B801000000C20800#

log EmuAddr, "GetTrialExecs  "

scmp caller, "lab84"

je C_GTE_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 20

add tmp6, 4

jmp loop9



C_GTE_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 20

add tmp6, 8

jmp loop9



//GetExpirationDate

C_GED:

mov tmp3, EmuAddr

mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C20C00#

log EmuAddr, "GetExpirationDate  "

scmp caller, "lab84"

je C_GED_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 30

add tmp6, 4

jmp loop9



C_GED_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 30

add tmp6, 8

jmp loop9



//GetModeInformation

C_GMI:

mov tmp3, EmuAddr

mov [tmp3], #8B442404C700909090008B442408C70090909000B801000000C20C00#

add tmp3, 6

mov tmp4, EmuAddr

add tmp4, 20

mov [tmp4], #53697465204C6963656E7365#           //Site license

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

cmp isdll, 1

jne C_GMI_1

mov tmp9, EmuAddr

add tmp9, 6

call DLLASPRAPI



C_GMI_1:

add tmp3, 0A

mov tmp4, EmuAddr

add tmp4, 30

mov [tmp4], #030000000#

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

cmp isdll, 1

jne C_GMI_2

mov tmp9, EmuAddr

add tmp9, 10

call DLLASPRAPI



C_GMI_2:

log EmuAddr, "GetModeInformation  "

scmp caller, "lab84"

je C_GMI_3

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 40

add tmp6, 4

jmp loop9



C_GMI_3:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 40

add tmp6, 8

jmp loop9



//GetHardwareID

C_GHI:

mov tmp3, EmuAddr

mov [tmp3], #B890909000C3#

add tmp3, 1

mov tmp4, EmuAddr

add tmp4, 10

mov [tmp4], #31323334353637382D34343434#

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

log EmuAddr, "GetHardwareID  "

cmp isdll, 1

jne C_GHI_1

mov tmp9, EmuAddr

add tmp9, 1

call DLLASPRAPI



C_GHI_1:

scmp caller, "lab84"

je C_GHI_2

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 20

add tmp6, 4

jmp loop9



C_GHI_2:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 20

add tmp6, 8

jmp loop9



//Asprotect 2.3 build04.26

loop10:

mov tmp7, AsprAPIloc

scmp caller, "lab84"

je loop10_2

mov tmp1, [tmp6]

GMEMI tmp1, MEMORYOWNER

mov tmp2, $RESULT

cmp tmp2, dllimgbase

jne lab48

mov tmp8, 0    //reset counter



loop10_1:

cmp tmp8, tmp5       //compare all the API in AsprAPIloc?

ja error

mov tmp2, [tmp7]     //AsprAPIloc

cmp tmp1, tmp2

je loop10_3

add tmp7, 4

add tmp8, 1

jmp loop10_1 



loop10_2:

//log tmp6

mov tmp1, [tmp6]

cmp tmp1, 0

je lab48

mov tmp8, [tmp6+4]



//0-GetRegistrationKeys,1-GetRegistrationInformation,2-RemoveKey,3-CheckKey

//4-CheckKeyAndDecrypt,5-GetKeyDate,6-GetKeyExpirationDate,7-GetTrialDays

//8-GetTrialExecs,9-GetExpirationDate,A-GetModeInformation,B-GetHardwareID

//C-GetHardwareIDEx,D-SetUserKey

loop10_3:

cmp tmp8, 1

je D_GRI

cmp tmp8, 2

je D_RK

cmp tmp8, 3

je D_CK

cmp tmp8, 4

je D_CKAD

cmp tmp8, 5

je D_GKD

cmp tmp8, 6

je D_GKED

cmp tmp8, 7

je D_GTD

cmp tmp8, 8

je D_GTE

cmp tmp8, 9

je D_GED

cmp tmp8, 0A

je D_GMI

cmp tmp8, 0B

je D_GHI

cmp tmp8, 0C

je D_GHIE

msg "This API is not emulated"

//pause

scmp caller, "lab84"

je loop10_4

add tmp6, 4

jmp loop10



loop10_4:

add tmp6, 8

jmp loop10



//GetRegistrationInformation

D_GRI:

mov tmp3, EmuAddr

mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#

add tmp3, 6

mov tmp4, EmuAddr

add tmp4, 20

mov [tmp4], #313131313232323233333333#           //111122223333

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

cmp isdll, 1

jne D_GRI_1

mov tmp9, EmuAddr

add tmp9, 6

call DLLASPRAPI



D_GRI_1:

add tmp3, 0A

mov tmp4, EmuAddr

add tmp4, 30

cmp isdll, 1

jne D_GRI_2

mov tmp9, EmuAddr

add tmp9, 10

call DLLASPRAPI



D_GRI_2:

mov [tmp4], #04000000566F6C58#

add tmp4, 4

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

log EmuAddr, "GetRegistrationInformation  "

scmp caller, "lab84"

je D_GRI_3

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 40

add tmp6, 4

jmp loop10



D_GRI_3:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 40

add tmp6, 8

jmp loop10



//RemoveKey

D_RK:

mov tmp3, EmuAddr

mov [tmp3], #B801000000C20C00#

log EmuAddr, "RemoveKey  "

scmp caller, "lab84"

je D_RK_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 10

add tmp6, 4

jmp loop10



D_RK_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 10

add tmp6, 8

jmp loop10



//CheckKey

D_CK:

mov tmp3, EmuAddr

mov [tmp3], #B801000000C20C00#

log EmuAddr, "CheckKey  "

scmp caller, "lab84"

je D_CK_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 10

add tmp6, 4

jmp loop10



D_CK_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 10

add tmp6, 8

jmp loop10



//CheckKeyAndDecrypt

D_CKAD:

mov tmp3, EmuAddr

mov [tmp3], #B801000000C20C00#

log EmuAddr, "CheckKeyAndDecrypt  "

scmp caller, "lab84"

je D_CKAD_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 10

add tmp6, 4

jmp loop10



D_CKAD_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 10

add tmp6, 8

jmp loop10



//GetKeyDate

D_GKD:

mov tmp3, EmuAddr

mov [tmp3], #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C21000#

log EmuAddr, "GetKeyDate  "

scmp caller, "lab84"

je D_GKD_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 30

add tmp6, 4

jmp loop10



D_GKD_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 30

add tmp6, 8

jmp loop10



//GetKeyExpirationDate

D_GKED:

mov tmp3, EmuAddr

mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#

log EmuAddr, "GetKeyExpirationDate  "

scmp caller, "lab84"

je D_GKED_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 30

add tmp6, 4

jmp loop10



D_GKED_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 30

add tmp6, 8

jmp loop10



//GetTrialDays

D_GTD:

mov tmp3, EmuAddr

mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#

log EmuAddr, "GetTrialDays  "

scmp caller, "lab84"

je D_GTD_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 20

add tmp6, 4

jmp loop10



D_GTD_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 20

add tmp6, 8

jmp loop10



//GetTrialExecs

D_GTE:

mov tmp3, EmuAddr

mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#

log EmuAddr, "GetTrialExecs  "

scmp caller, "lab84"

je D_GTE_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 20

add tmp6, 4

jmp loop10



D_GTE_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 20

add tmp6, 8

jmp loop10



//GetExpirationDate

D_GED:

mov tmp3, EmuAddr

mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#

log EmuAddr, "GetExpirationDate  "

scmp caller, "lab84"

je D_GED_1

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 30

add tmp6, 4

jmp loop10



D_GED_1:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 30

add tmp6, 8

jmp loop10



//GetModeInformation

D_GMI:

mov tmp3, EmuAddr

mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#

add tmp3, 6

mov tmp4, EmuAddr

add tmp4, 20

mov [tmp4], #53697465204C6963656E7365#           //Site license

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

cmp isdll, 1

jne D_GMI_1

mov tmp9, EmuAddr

add tmp9, 6

call DLLASPRAPI



D_GMI_1:

add tmp3, 0A

mov tmp4, EmuAddr

add tmp4, 30

mov [tmp4], #030000000#

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

cmp isdll, 1

jne D_GMI_2

mov tmp9, EmuAddr

add tmp9, 10

call DLLASPRAPI



D_GMI_2:

log EmuAddr, "GetModeInformation  "

scmp caller, "lab84"

je D_GMI_3

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 40

add tmp6, 4

jmp loop10



D_GMI_3:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 40

add tmp6, 8

jmp loop10



//GetHardwareID

D_GHI:

mov tmp3, EmuAddr

mov [tmp3], #B890909000C20400#

add tmp3, 1

mov tmp4, EmuAddr

add tmp4, 10

mov [tmp4], #31323334353637382D34343434#

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

log EmuAddr, "GetHardwareID  "

cmp isdll, 1

jne D_GHI_1

mov tmp9, EmuAddr

add tmp9, 1

call DLLASPRAPI



D_GHI_1:

scmp caller, "lab84"

je D_GHI_2

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 20

add tmp6, 4

jmp loop10



D_GHI_2:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 20

add tmp6, 8

jmp loop10



//GetHardwareIDEx

D_GHIE:

mov tmp3, EmuAddr

mov [tmp3], #B890909000C3#

add tmp3, 1

mov tmp4, EmuAddr

add tmp4, 10

mov [tmp4], #31323334353637382D34343434#

sub tmp4, imgbase

add tmp4, imgbasefromdisk

mov [tmp3], tmp4

log EmuAddr, "GetHardwareIDEx  "

cmp isdll, 1

jne D_GHIE_1

mov tmp9, EmuAddr

add tmp9, 1

call DLLASPRAPI



D_GHIE_1:

scmp caller, "lab84"

je D_GHIE_2

mov tmp3, EmuAddr

sub tmp3, imgbase

add tmp3, imgbasefromdisk

mov [tmp6], tmp3

add EmuAddr, 20

add tmp6, 4

jmp loop10



D_GHIE_2:

eval "jmp 0{EmuAddr}"

asm tmp1, $RESULT

add EmuAddr, 20

add tmp6, 8

jmp loop10



DLLASPRAPI:

cmp tmp10, 0

je reloc1

cmp tmp10, 1

je reloc2

cmp tmp10, 2

je reloc3

cmp tmp10, 3

je reloc4

cmp tmp10, 4

je reloc5

cmp tmp10, 5

je reloc6

msg "DLLASPRAPI error"

//pause

jmp error



reloc1:

sub tmp9, imgbase

mov reloc1, tmp9

jmp DLLASPRAPI_1



reloc2:

sub tmp9, imgbase

mov reloc2, tmp9

jmp DLLASPRAPI_1



reloc3:

sub tmp9, imgbase

mov reloc3, tmp9

jmp DLLASPRAPI_1



reloc4:

sub tmp9, imgbase

mov reloc4, tmp9

jmp DLLASPRAPI_1



reloc5:

sub tmp9, imgbase

mov reloc5, tmp9

jmp DLLASPRAPI_1



reloc6:

sub tmp9, imgbase

mov reloc6, tmp9



DLLASPRAPI_1:

add tmp10, 1

ret



lab48:

cmp isdll, 1

jne lab51

mov tmp1, reloc_rva

add tmp1, imgbase

mov tmp2, tmp1

add tmp2, 08

mov tmp3, [tmp2], 2

and tmp3, 0F000

cmp tmp3, 3000      //type 3 relocation ?

jne lab51

GMEMI tmp1, MEMORYSIZE

mov tmp2, $RESULT

alloc tmp2

mov reloctemp, $RESULT

//log reloctemp

cmp tmp10, 0        //no relocation of item in emulation code

je lab49_1



//add relocate item for dll

mov tmp1, dllimgbase

mov [tmp1], #609CBD00038D00C745040000E200C7450800D00010C7450C5C040000C7451001000000B917010000B8003000008B7D08#

add tmp1, 30      //30

mov [tmp1], #8BD7F2AF83F9000F85730000008BFA8B0F83F9000F84160200003BC877078B4F0403F9EBEA8BCF8BD12B4D088B5D0C2B#

add tmp1, 30      //60

mov [tmp1], #D98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAC7070090000083C20483C708E87A010000E89502000085C0740383#

add tmp1, 30      //90

mov [tmp1], #C70283C108890A598B7504F3A4E94701000090909090909090909090909090908BD783EA04031766837AFE007507C745#

add tmp1, 30      //C0

mov [tmp1], #0001000000578B0F83E90833C083C7048BD7668B07663DFD32771183C70283E90283F9000F84A6010000EBE690909090#

add tmp1, 30      //F0

mov [tmp1], #8BD78BCF2B4D088B5D0C2BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAE8EB000000598B7504F3A45AE8FF0100#

add tmp1, 30      //120

mov [tmp1], #00890A8BFA9C33C98B4510A8010F94C19D83F9010F84AF000000837D0000747090909090909090909090909090909090#

add tmp1, 30      //150

mov [tmp1], #8B0F83E90403F98BD783C7028BCF2B4D088B5D0C2BD98B4D10D1E103D98BCB8BF78B7D04F3A433C08BCB8BFAF3AA8BFA#

add tmp1, 30      //180

mov [tmp1], #8B75048BCBF3A4EB60909090909090909090909090909090909090909090909090909090909090909090909090909090#

add tmp1, 30      //1B0

mov [tmp1], #8B0F83E90403F98BD783EF028BD78BCF2B4D088B5D0C2BD98B4D10D1E103D98BCB8B7D048BF2F3A48BFA66C70700008B#

add tmp1, 30      //1E0

mov [tmp1], #CB8B750483C702F3A49D619090909090000000000000000000000000000000008B4D1066C707063649E33E83C70266C7#

add tmp1, 30      //210

mov [tmp1], #07103649E33383C70266C707803A49E32883C70266C707803A49E31D83C70266C707803A49E31283C70266C707803A49#

add tmp1, 30      //240

mov [tmp1], #83F9000F850500000083C702C390909000000000000000000000000000000000C70700B000008BD783C20483C708E88D#

add tmp1, 30      //270

mov [tmp1], #FFFFFFE8A800000083C108890AE967FFFFFF00000000000000000000000000008BCF2B4D088B5D0C2BD98BCB578BF78B#

add tmp1, 30      //2A0

mov [tmp1], #7D04F3A45A837D0001750383EA028BFAE84BFFFFFF5AE865000000890A85C0740866C707000083C7028BCB8B7504F3A4#

add tmp1, 30      //2D0

mov [tmp1], #E914FFFFFF9000000000000000000000#

add tmp1, 50      //320

mov [tmp1], #8B4D10D1E18BF28B0683F800740B837D0000740383E80203C88BC1C1E902C1E1023BC8740A83C0028BC833C040EB0233#

add tmp1, 30      //350

mov [tmp1], #C0C30000000000000000000000000000#

mov tmp1, dllimgbase

add tmp1, 3       //3

mov tmp2, dllimgbase

add tmp2, 400

mov [tmp1], tmp2

add tmp1, 7       //A

mov [tmp1], reloctemp

add tmp1, 7       //11

mov tmp2, reloc_rva

add tmp2, imgbase

mov [tmp1], tmp2

add tmp1, 7      //18

mov [tmp1], reloc_size

add tmp1, 7      //1F 

mov [tmp1], tmp10

add tmp1, 5      //24

mov tmp3, reloc_size

shr tmp3, 2

mov [tmp1], tmp3  //reloc no.

add tmp1, 5       //29

mov tmp5, reloc1

and tmp5, 0FFFFF000

mov [tmp1], tmp5

add tmp1, 4E      //77

mov [tmp1], tmp5

add tmp1, 60      //D7

mov tmp3, [tmp1+2]

mov tmp2, reloc1

sub tmp2, tmp5

add tmp2, 3000

mov [tmp1], tmp2

add tmp1, 2       //D9

mov [tmp1], tmp3

add tmp1, 12D     //206

mov tmp6, reloc1

sub tmp6, tmp5

add tmp6, 3000

mov tmp3, [tmp1+2]

mov [tmp1], tmp6

add tmp1, 2

mov [tmp1], tmp3

cmp tmp10, 1

je lab48_1

mov tmp1, dllimgbase

add tmp1, 211     //211

mov tmp6, reloc2

sub tmp6, tmp5

add tmp6, 3000

mov tmp3, [tmp1+2]

mov [tmp1], tmp6

add tmp1, 2

mov [tmp1], tmp3

cmp tmp10, 2

je lab48_1

mov tmp1, dllimgbase

add tmp1, 21C    //21C

mov tmp6, reloc3

sub tmp6, tmp5

add tmp6, 3000

mov tmp3, [tmp1+2]

mov [tmp1], tmp6

add tmp1, 2

mov [tmp1], tmp3

cmp tmp10, 3

je lab48_1

mov tmp1, dllimgbase

add tmp1, 227    //227

mov tmp6, reloc4

sub tmp6, tmp5

add tmp6, 3000

mov tmp3, [tmp1+2]

mov [tmp1], tmp6

add tmp1, 2

mov [tmp1], tmp3

cmp tmp10, 4

je lab48_1

mov tmp1, dllimgbase

add tmp1, 232    //232

mov tmp6, reloc5

sub tmp6, tmp5

add tmp6, 3000

mov tmp3, [tmp1+2]

mov [tmp1], tmp6

add tmp1, 2

mov [tmp1], tmp3

cmp tmp10, 5

je lab48_1

mov tmp1, dllimgbase

add tmp1, 123D   //23D

mov tmp6, reloc6

sub tmp6, tmp5

add tmp6, 3000

mov tmp3, [tmp1+2]

mov [tmp1], tmp6

add tmp1, 2

mov [tmp1], tmp3

cmp tmp10, 6

jne error



lab48_1:

mov tmp1, dllimgbase

add tmp1, 262    //262

mov [tmp1], tmp5

mov tmp1, dllimgbase

add tmp1, 1EB    //1EB--end point

mov tmp2, tmp1

add tmp2, 63     //24E--error point

mov tmp7, eip

mov eip, dllimgbase

bp tmp1

bp tmp2

eob lab48_2

eoe lab48_2

esto



lab48_2:

cmp eip, tmp1

je lab48_3

cmp eip, tmp2

je lab48_4

jmp error



lab48_3:

bc tmp1

bc tmp2

mov eip, tmp7

fill dllimgbase, 420, 00

mov tmp1, reloc_rva

add tmp1, imgbase

call ChkRelocSize

jmp lab49



lab48_4:

msg "Fix relocation table error"

//pause

jmp error



lab49:

mov reloc_size, tmp2

//log reloc_size



//relocate addr in IAT

lab49_1:

coe

cob

find Aspr1stthunk, #00000000#

mov tmp10, $RESULT

sub tmp10, Aspr1stthunk

mov tmp1, tmp10

shr tmp10, 2

mov tmp2, tmp10

shl tmp2, 2

cmp tmp1, tmp2

je lab49_2

add tmp10, 1



lab49_2:

mov tmp1, dllimgbase

mov [tmp1], #609CBD00038D00C745040000E200C7450818900010C7450C00900010C7451000D00010C7451460040000B917010000B8#

add tmp1, 30      //30

mov [tmp1], #009000008B7D108BD7F2AF85C90F85FD0000008BFA8B0F83F9000F84900000003BC877078B4F0403F9EBEA8BCF8BD12B#

add tmp1, 30      //60

mov [tmp1], #4D108B5D142BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAC7070090000083C7088BD7B9030000008B5D088BF3# 

add tmp1, 30      //90

mov [tmp1], #2B750C81C6003000006689374983F900740883C70283C304EBE483C7028BCF2BCA83C1088BD9C1E902C1E1023BCB7406#

add tmp1, 30      //C0

mov [tmp1], #83C70283C302895AFC5B8BCB8B7504F3A4E99D01000000000000000000009090C70700B0000083C7088BD7B903000000#

add tmp1, 30      //F0

mov [tmp1], #8B5D088BF32B750C81C6003000006689374983F900740883C70283C304EBE483C7028BCF2BCA83C1088BD9C1E902C1E1#

add tmp1, 30      //120

mov [tmp1], #023BCB740683C70283C302895AFCE940010000000000000000000000000000908BD783EA04031766837AFE00750A832F#

add tmp1, 30      //150

mov [tmp1], #02C7450001000000578B0F83E90833C083C7048BD7668B07663D1830770883C70283E902EBEF83F900740D8B42FC83E8#

add tmp1, 30      //180

mov [tmp1], #083BC1740383EF028BD78BCF2B4D108B5D142BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAB9030000008B5D08#

add tmp1, 30      //1B0

mov [tmp1], #8BF32B750C81C6003000006689374983F900740883C70283C304EBE483C7025B8BCB8B7504F3A45FB903000000D1E101#

add tmp1, 30      //1E0

mov [tmp1], #0F8BC18BD783EA0403178BCA2BCF83E9048BD9C1E902C1E1023BCB7443830702578BFA8BCF2B4D108B5D142BD903D88B#

add tmp1, 30      //210

mov [tmp1], #CB578B7D048BF2F3A433C05F66C707000083C7028BCB8B7504F3A45FEB45000000000000000000000000000000009090#

add tmp1, 30      //240

mov [tmp1], #837D0001752D8BFA8BCF2B4D108B5D142BD903D88BCB578B7D0483C2028BF2F3A433C05F578BCB8BFAF3AA5F8BCB8B75#

add tmp1, 30      //270

mov [tmp1], #04F3A49D619090909090909000000000#

mov tmp1, dllimgbase

add tmp1, 3       //3

mov tmp2, dllimgbase

add tmp2, 300

mov [tmp1], tmp2

add tmp1, 7       //0A

mov [tmp1], reloctemp

add tmp1, 7       //11

mov [tmp1], Aspr1stthunk

add tmp1, 7       //18

GMEMI Aspr1stthunk, MEMORYBASE

mov tmp3, $RESULT

mov [tmp1], tmp3

add tmp1, 7       //1F

mov tmp3, reloc_rva

add tmp3, imgbase

mov [tmp1], tmp3

add tmp1, 7      //26

mov [tmp1], reloc_size

add tmp1, 5      //2B

mov tmp3, reloc_size

shr tmp3, 2

mov [tmp1], tmp3

add tmp1, 5      //30

GMEMI Aspr1stthunk, MEMORYBASE

mov tmp6, $RESULT

sub tmp6, imgbase

mov [tmp1], tmp6

add tmp1, 4D     //7D

mov [tmp1], tmp6

add tmp1, A      //87

mov [tmp1], tmp10

add tmp1, 5B     //E2 

mov [tmp1], tmp6

add tmp1, A      //EC

mov [tmp1], tmp10

add tmp1, 7E     //16A

mov tmp4, Aspr1stthunk

sub tmp4, tmp6

add tmp4, 3000

mov tmp2, [tmp1+2]

mov [tmp1], tmp4

add tmp1, 2     //16C

mov [tmp1], tmp2

add tmp1, 3D    //1A9

mov [tmp1], tmp10

add tmp1, 30    //1D9

mov [tmp1], tmp10

add tmp1, 9C    //275  -- end point

mov tmp7, eip

mov eip, dllimgbase

bp tmp1

eob lab49_3

eoe lab49_3

run



lab49_3:

cmp eip, tmp1

je lab49_4

jmp error



lab49_4:

bc tmp1

mov eip, tmp7

fill dllimgbase, 320, 00

mov tmp1, reloc_rva

add tmp1, imgbase

call ChkRelocSize



lab49_5:

mov reloc_size, tmp2

//log reloc_size

GMEMI reloctemp, MEMORYSIZE

mov tmp2, $RESULT

free reloctemp, tmp2



lab51:

scmp caller, "lab46_1"

je lab52

scmp caller, "lab84"

je lab85

jmp error



//Search and fix CRC check

lab52:

mov caller, "nil"

cob

coe

mov tmp9, eip         //save eip

mov tmp1, dllimgbase

mov [tmp1], #609CBE00104000B9FCAF28008B1681E2F0F0FF0081FA5050E8000F85100100008A1680E20F80FA0873688A560180E20F#

add tmp1, 30         //30

mov [tmp1], #80FA08735D8B5E0481E3FFFFFF0083FB00754F515683C607B90001000033C08B1681E2FFF0F0F081FAC35050E0740846#

add tmp1, 30        //60

mov [tmp1], #4985C975EAEB03408BD65E5983F80175218D5E038B1B03DE83C3073BDA73138A42013C58720C8A42023C587205E90E00#

add tmp1, 30        //90

mov [tmp1], #0000E9A90100009090909090909090904250515756B8E9000000B9000100008BFE33F6F2AEE3193BFA77158BDF031F83#

add tmp1, 30        //C0

mov [tmp1], #C3043BDA75ED46EBEA9090909090909083FE01742B83FE0274095E5F5958E95D0100005E8BC683C002C600B8C7400101#

add tmp1, 30        //F0

mov [tmp1], #00000083C005EB0E00000000000000005E8BC683C002C600E98BCA2BC883E9058948015F5958E9250100009000000000#

add tmp1, 30        //120

mov [tmp1], #000000000000000000000000000000008B1681E2F0F0FFFF81FA50500F84754066817E06FFFF75388B5EF381E3FFFF00#

add tmp1, 30        //150

mov [tmp1], #FF81FB0F8200FF75278B56F981E2F0FFF00081FA5081F000751666C7460290E9E9CB0000000000000000000000000090#

add tmp1, 30        //180

mov [tmp1], #803EE90F85B70000008B560183FA000F85AB00000033DB668B5E056681E3F0F06681FB50500F859500000033D28A5605#

add tmp1, 30        //1B0

mov [tmp1], #80E20F80FA080F82840000008A560680E20F80FA087279807E07E975738B560881E200FFFFFF83FA007565575150B80F#

add tmp1, 30        //1E0

mov [tmp1], #000000B9400000008BFE83EF40F2AE85C97448803F847407803F857417EBEE8BC70347013BC6753366C747FF90E9EB2B#

add tmp1, 30        //210

mov [tmp1], #000000008BC70347018038E9751D8A580180E3F080FB1077129090909066837803007507C747010000000058595F9090#

add tmp1, 30        //240

mov [tmp1], #83C60183E90185C90F85BEFDFFFF9D619090#

mov tmp1, dllimgbase

add tmp1, 3          //3

mov [tmp1], 1stsecbase

add tmp1, 5          //08

mov tmp3, sizeofimg

sub tmp3, 2004

mov [tmp1], tmp3

mov tmp3, dllimgbase

add tmp3, 250        //end point

mov eip, dllimgbase

bp tmp3

run

cmp eip, tmp3

jne error

bc tmp3



lab53:

fill dllimgbase, 260, 00

mov eip, tmp9



//get all call xxxxxxxx

lab54:

cmp type1API, 0

je lab78



fixtype1:

find dllimgbase, #3130320D0A#          //search "102"

mov tmp6, $RESULT

cmp tmp6, 0

je error

find tmp6, #05FF00000050#          //"Add eax,FF"  "push eax"

mov tmp1, $RESULT

cmp tmp1, 0

je error

find tmp1, #8B45F4E8#

mov tmp2, $RESULT

cmp tmp2, 0

je error

add tmp2, 3

opcode tmp2

mov func1, $RESULT_1

//log func1

add tmp2, 5

find tmp2, #8B45F4E8#

mov tmp1, $RESULT

cmp tmp1, 0

je error

add tmp1, 3

opcode tmp1

mov func2, $RESULT_1

//log func2

add tmp1, 5

find tmp1, #8B45F4E8????????#

mov tmp2, $RESULT

cmp tmp2, 0

je error

add tmp2, 3

opcode tmp2

mov func3, $RESULT_1

//log func3

mov tmp1, tmp2

add tmp1, 5

mov tmp3, [tmp1]

find tmp1, #8B55FCE8#

mov tmp2, $RESULT

cmp tmp2, 0

je error

add tmp2, 3

opcode tmp2

mov func4, $RESULT_1

//log func4

cmp tmp3, A1FC4589

jne lab55

find tmp1, #8B83080100008B401C#

mov tmp2, $RESULT

cmp tmp2, 0

je lab54_1

mov v2.0x, 1

jmp lab55



lab54_1:

mov v1.32, 1



lab55:

//log v1.32

//log v2.0x

mov tmp1, dllimgbase

mov [tmp1], #609CBB000E0201BE00104000803EE875188B460103C683C0053B432C750B893500C09E00E8170000004681FE00705900#

add tmp1, 30     //30

mov [tmp1], #72DA9D6190909000000000000000009060BD0009FB00A100C09E00894510BB000E02018B480103C883C1053B4B2C7421#

add tmp1, 30     //60

mov [tmp1], #61C3909090909090909090909090909090909090909090909090909090909090908B45102B43148B55102B53242B93E0#

add tmp1, 30     //90

mov [tmp1], #0000008955F83B43280F83600400008D53408955E48B53188955F48B551083C2058A123293E00000008BFA81E7FF0000#

add tmp1, 30     //C0

mov [tmp1], #0025FF00000033F83B7DF40F87AE0100008B83E4000000F7EF0343548945FC8B45E40FB6008D04408B7483688B45FCFF#

add tmp1, 30     //F0

mov [tmp1], #D68BF03B75F80F8574010000807B2000741B8B45E40FB640098D04408B5483688B45FCFFD23C010F843B0200008D75FC#

add tmp1, 30     //120

mov [tmp1], #33C08A43428D04408BD38B7C82688B06FFD78945B833C08A43438D04408BD38B7C82688B06FFD78BF833C08A43458D04#

add tmp1, 30     //150

mov [tmp1], #408BD38B5482688B06FFD28845B733C08A43418D04408BD38B5482688B06FFD28845BF8B83E00000000345B88945D433#

add tmp1, 30     //180

mov [tmp1], #C08A43478D04408BD38B5482688B06FFD28945E003BBE00000005733C08A45B705FF000000508BC3E88BB102008BC88B#

add tmp1, 30     //1B0

mov [tmp1], #53108BC3E80B9F02008945D033C08A43488D04408BD38B7C82688B06FFD78B55D00155E08B5510422B022B45D08B5510#

add tmp1, 30     //1E0

mov [tmp1], #0FB61203C28BD38B522C2B551083EA0503C28D55CC52668B4DE08BD08BC3E8E9AB02008B83E00000000145CC837DD4FF#

add tmp1, 30     //210

mov [tmp1], #740E8B45108B5D14890383C304895D148B5DCCE978020000909090909090909090909090909090909090909090909090#

add tmp1, 30     //240

mov [tmp1], #BE00705900391E741183C60481FE747A59000F87A7020000EBEB81EE0000400081C600004000C3000000000000000090#

add tmp1, 30     //270

mov [tmp1], #81C7FF0000003B7DF40F8652FEFFFF8B83080100008B401C488945F48B43188B55F4423BC27405E9630200008B45F485#

add tmp1, 30     //2A0

mov [tmp1], #C00F8C58020000408945E0C745EC000000008B83080100008B55ECE8800000008BF88B45E40FB6008D04408B7483688B#

add tmp1, 30     //2D0

mov [tmp1], #4704FFD68BF03B75F8753F807B200074178B45E40FB640098D04408B5483688B4704FFD23C01746883C7048BF7E91EFE#

add tmp1, 30     //300

mov [tmp1], #FFFF909090900000000000000000000000000000000090909090FF45ECFF4DE07590E9D8010000909090909000000000#

add tmp1, 30     //330

mov [tmp1], #0000000000000000000000000000000033C985D27C0B3B501C7D068B40188B0C908BC1C3909090908D75FCEB08909090#

add tmp1, 30     //360

mov [tmp1], #83C7048BF733C08A43478D04408BD38B7C82688B06FFD78945EC33C08A43488D04408BD38B7C82688B06FFD78945E833#

add tmp1, 30     //390

mov [tmp1], #C08A43428D04408BD38B7C82688B06FFD78BF833C08A43468D04408BD38B5482688B06FFD28845DF03BBE00000005733#

add tmp1, 30     //3C0

mov [tmp1], #C08A45DF05FF000000508BC3E867AF02008BC88B53108BC3E8E79C02008945D833C08A43438D04408BD38B7C82688B06#

add tmp1, 30     //3F0

mov [tmp1], #FFD78BF803BBE00000008B45EC03C70345D88945EC8B45E82BC72B45D88945E833C08A43418D04408BD38B5482688B06#

add tmp1, 30     //420

mov [tmp1], #FFD28845BF895D208BD88D45B450668B4DEC668B55E88B4520E8AEA902008B45208B80E00000000345B48945FC8945CC#

add tmp1, 30     //450

mov [tmp1], #576A008D4DE08B45208B403C8B55FCE8106D02008945FC8B45E08B00E81F0000000045BF8B5DCCEB2700000000000000#

add tmp1, 30     //480

mov [tmp1], #00000000000000000000000000000090516689C1C1C0106601C828E059C3000081FB909090907507BB90909090EB2181#

add tmp1, 30     //4B0

mov [tmp1], #FB909090907507BB90909090EB1281FB90909090750ABB909090009090909090E86BFDFFFF66B9FF158B5DE48A430A3A#

add tmp1, 30     //4E0

mov [tmp1], #45BF74056681C100108B5D1066890B83C3028933FF05000E900061C390909090#





mov tmp1, dllimgbase

mov tmp2, tmp1

add tmp1, 3       //3

mov [tmp1], EBXaddr

add tmp1, 5       //8

mov [tmp1], 1stsecbase

add tmp1, 18      //20

mov tmp4, dllimgbase

add tmp4, 0E04       //dllimgbase+0E04

mov [tmp1], tmp4

add tmp1, 0C      //2C

mov tmp3, sizeofimg

sub tmp3, 1000

add tmp3, imgbase

mov [tmp1], tmp3

add tmp1, 16      //42

mov tmp2, dllimgbase

add tmp2, 900        //dllimgbase+900

mov [tmp1], tmp2

add tmp1, 5       //47

mov [tmp1], tmp4

add tmp1, 8       //4F

mov [tmp1], EBXaddr

add tmp1, 159     //1A8

eval "{func1}"

asm tmp1, $RESULT

add tmp1, C       //1B4

eval "{func2}"

asm tmp1, $RESULT

add tmp1, 4A      //1FE

eval "{func3}"

asm tmp1, $RESULT

add tmp1, 43      //241

mov [tmp1], iatstartaddr

add tmp1, D       //24E

mov [tmp1], iatendaddr

add tmp1, E       //25C

mov [tmp1], imgbase

add tmp1, 6       //262

mov [tmp1], imgbasefromdisk

add tmp1, 16A     //3CC

eval "{func1}"

asm tmp1, $RESULT

add tmp1, C       //3D8

eval "{func2}"

asm tmp1, $RESULT

add tmp1, 61      //439

eval "{func3}"

asm tmp1, $RESULT

add tmp1, 26      //45F

eval "{func4}"

asm tmp1, $RESULT

add tmp1, 97      //4F6

mov tmp2, dllimgbase

add tmp2, E00        //dllimgbase+E00  for storing E8count

mov [tmp1], tmp2

mov tmp2, dllimgbase

add tmp2, 914        //dllimgbase+900

mov [tmp2], lastsecbase    //loc for storing sc after API

mov tmp2, dllimgbase

add tmp2, 34         //34 -- end point

bp tmp2

mov tmp3, dllimgbase

add tmp3, 4FF        //4FF -- error point

bp tmp3

cmp v1.32, 1

jne lab56

mov tmp4, dllimgbase

add tmp4, 203        //203

mov [tmp4], #8945CC83C404909090#

add tmp4, 7C         //27F

mov [tmp4], #8B830401#

add tmp4, 33         //2B2

mov [tmp4], #8B830401#

add tmp4, 18C        //43E

mov [tmp4], #83C404909090909090909090#

find dllimgbase, #3136300D0A#

mov tmp4, $RESULT

cmp tmp4, 0

jne lab56_1

find dllimgbase, #3B7DF40F83????FFFF8B4354#

mov tmp4, $RESULT

cmp tmp4, 0

je error

mov tmp4, dllimgbase

add tmp4, 270        //270

mov [tmp4], #81C7FF0000003B7DF40F8652FEFFFF8B43548945FC8B7B1885FF0F866F0200008B45E40FB6008D04408B7483688B45FC#

add tmp4, 30         //2A0

mov [tmp4], #FFD68BF03B75F87571807B2000741B8B45E40FB640098D04408B5483688B45FCFFD23C010F848E0000008D75FCE94EFE#

add tmp4, 30         //2D0

mov [tmp4], #FFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#

add tmp4, 30         //300

mov [tmp4], #00000000000000000000000000000000000000000000909090904F8B83E40000000145FC85FF0F8764FFFFFFE9CE01000090#

jmp lab56_1



lab56:

cmp v2.0x, 1

jne lab56_1

mov tmp4, dllimgbase

add tmp4, 203        //203

mov [tmp4], #8945CC83C404909090#

add tmp4, 23b        //43E

mov [tmp4], #83C404909090909090909090#



lab56_1:

cmp DFCequ, 0

je lab56_2

mov tmp1, dllimgbase

add tmp1, 4A2        //4A2

mov [tmp1], DFCequ

add tmp1, 7          //4A9

mov [tmp1], DFCaddr

jmp lab56_3



lab56_2:

mov tmp1, dllimgbase

add tmp1, 4A0

mov [tmp1], #EB0D#



lab56_3:

cmp REequ, 0

je lab56_4

mov tmp1, dllimgbase

add tmp1, 4B1        //4B1

mov [tmp1], REequ

add tmp1, 7          //4B8

mov [tmp1], REaddr

jmp lab56_5



lab56_4:

mov tmp1, dllimgbase

add tmp1, 4AF

mov [tmp1], #EB0D#



lab56_5:

cmp GPAequ, 0

je lab56_6

mov tmp1, dllimgbase

add tmp1, 4C0        //4C0

mov [tmp1], GPAequ

add tmp1, 7          //4C7

mov [tmp1], GPAaddr

jmp lab57



lab56_6:

mov tmp1, dllimgbase

add tmp1, 4BE

mov [tmp1], #EB0B#



lab57:

mov tmp6, eip

mov eip, dllimgbase

eob lab58

eoe lab58

esto



lab58:

cmp eip, tmp2

je lab59

cmp eip, tmp3

je lab60

esto



lab59:

bc tmp2

bc tmp3

mov eip, tmp6

mov E8count, 0

mov E8count, [dllimgbase+0E00]

//log E8count

//msg "Fix type 1 API OK!"

//pause

jmp lab69



lab60:

msg "Unexpected termination of the process"

//pause

jmp end



//lab61_lab68



lab69:

mov tmp1, dllimgbase

add tmp1, 914                  //dllimgbase+914

mov tmp2, [tmp1]

mov tmp3, lastsecbase          //loc for storing sc after API

cmp tmp3, tmp2

je lab76

sub tmp2, tmp3

//dm tmp3, tmp2, "SCafAPI.bin"

shr tmp2, 2

mov SCafterAPIcount, tmp2

//log SCafterAPIcount

//msg "Advanced IAT protection detected, press OK to fix it"

//pause

fill dllimgbase, 0E10, 00



//Advanced Import protection

find dllimgbase, #3130320D0A#  //search "102"

mov tmp6, $RESULT

cmp tmp6, 0

je error

find tmp6, #8B80E4000000E8#   //search "mov eax,[eax+E4]" "call xxxxxxxx"

mov tmp1, $RESULT

cmp tmp1, 0

je error

add tmp1, 6

opcode tmp1

mov func1, $RESULT_1

//log func1

add tmp1 , 6

find tmp1, #8BC7E8????????#        //search "mov eax,edi","call xxxxxxx" 

mov tmp2, $RESULT

cmp tmp2, 0

je error

add tmp2, 2

opcode tmp2

mov func2, $RESULT_1

//log func2

add tmp2, 8

mov ori1, [tmp2]

//log ori1

find tmp2, #E8????????#

mov tmp1, $RESULT

cmp tmp1, 0

je error

opcode tmp1

mov func3, $RESULT_1

//log func3

mov tmp3, [tmp1+1]

add tmp3, tmp1

add tmp3, 5

mov tmp4, [tmp3+09]

cmp tmp4, 01B2D88B

je lab70

mov newver, 1



lab70:

//log newver

mov tmp9, eip                 //save eip



mov tmp1, dllimgbase

mov [tmp1], #60BB6806F400BD000BEE00BF000BEE008B57048BC3E8860900008945D88D73408B83E4000000E821250000897DDC8BF8#

add tmp1, 30   //30

mov [tmp1], #8B8BE40000008B55D88BC7E87C6000006A10B9C0B7F1008B93E40000008BC7E8E84801009090909033C08A46028D0440#

add tmp1, 30   //60

mov [tmp1], #8BD38B5482688BC7FFD28945F033C08A46038D04408BD38B5482688BC7FFD28945EC33C08A46018D04408BD38B548268#

add tmp1, 30   //90

mov [tmp1], #8BC7FFD23A434A74403A434B74423A434C0F84890000003A434D0F84800000003A434F0F84A70600003A43500F841E07#

add tmp1, 30  //C0

mov [tmp1], #00003A43510F84750700003A43520F84DC070000E907090000E9E208000090908B8BE0000000034DEC034D908B7DDC8B#

add tmp1, 30  //F0

mov [tmp1], #3F8B1F83C3068BC12BC38BD07905F7D283C20481FA81000000770BC603EB83E802884301EB09C603E983E805894301E9#

add tmp1, 30  //120

mov [tmp1], #9C0800009090909090909090909090908845D033C08945AC8945B08945B48945B88945BC8A46078D04408B5483688BC7#

add tmp1, 30  //150

mov [tmp1], #FFD28945B033C08A46058D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B0C745B40100000033C08A46#

add tmp1, 30  //180

mov [tmp1], #088D04408B5483688BC7FFD28945B833C08A46068D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B8C7#

add tmp1, 30  //1B0

mov [tmp1], #45BC0100000033C08A46098D04408B5483688BC7FFD284C0742EFEC87430FEC87432FEC80F8466010000FEC80F841E02#

add tmp1, 30  //1E0

mov [tmp1], #0000FEC80F8416030000FEC80F84BE030000E9E907000090E9C307000090E9BD0700009057538B7DDC8B3F8B0F83C106#

add tmp1, 30  //210

mov [tmp1], #837DB4010F85B8000000837DBC017547B83900000033D23E8A55B8C0E2033E0255B086F203C2807DB004740E807DB005#

add tmp1, 30  //240

mov [tmp1], #741166890183C102EB18668901C6410224EB0C0500400000668901C641020083C103E9D00000003E8B55B881FA800000#

add tmp1, 30  //270

mov [tmp1], #007307B883380000EB05B88138000033D23E8A55B086F203C2807DB004740E807DB005741466890183C102EB1B668901#

add tmp1, 30  //2A0

mov [tmp1], #C641022483C103EB0F0500400000668901C641020083C1033E8B55B881FA800000007307881183C101EB6C891183C104#

add tmp1, 30  //2D0

mov [tmp1], #EB658B45900145B0837DBC017521B83905000033D23E8A55B8C0E20386F203C26689013E8B55B089510283C106EB383E#

add tmp1, 30  //300

mov [tmp1], #8B55B881FA800000007317B8833D00006689013E8B45B089410288510683C107EB15B8813D00006689013E8B45B08941#

add tmp1, 30  //330

mov [tmp1], #0289510683C10A8BD9E952030000909057538B7DDC8B3F8B0F83C106837DB4010F858A060000837DBC017544B83B0000#

add tmp1, 30  //360

mov [tmp1], #0033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB805741166890183C102EB3C668901C6410224EB0C05# 

add tmp1, 30  //390

mov [tmp1], #00400000668901C641020083C103EB22B83B05000033D23E8A55B0C0E20386F203C26689013E8B55B803559089510283#

add tmp1, 30  //3C0

mov [tmp1], #C1068BD9E9C702000000000000000000#

add tmp1, 30  //3F0

mov [tmp1], #9090909090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F859F000000837DBC017551807DB005#

add tmp1, 30  //420

mov [tmp1], #742AB83800000033D23E8A55B8C0E2033E0255B086F203C266890383C302807DB0047524C6032483C301EB1CB8384500#

add tmp1, 30  //450

mov [tmp1], #0033D23E8A55B8C0E20386F203C2668903C643020083C303E923020000807DB0047423807DB005742BB88038000033D2#

add tmp1, 30  //480

mov [tmp1], #3E8A55B086F203C26689038B55B888530283C303EB5AC703833C24008B55B8885303EB0CC703837D00008A55B8885303#

add tmp1, 30  //4B0

mov [tmp1], #83C304EB3B837DBC017521B83805000033D23E8A55B8C0E20386F203C26689033E8B55B089530283C306EB1466C70380#

add tmp1, 30  //4E0

mov [tmp1], #3D8B55B08953028A45B888430683C307E99B010000909090909090909090909057538B7DDC8B3F8B1F83C306837DB401#

add tmp1, 30  //510

mov [tmp1], #0F85CA040000837DBC017544B83A00000033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB80574116689#

add tmp1, 30  //540

mov [tmp1], #0383C302EB39668903C6430224EB0C0500400000668903C643020083C303EB1FB83A05000033D23E8A55B0C0E20386F2#

add tmp1, 30  //570

mov [tmp1], #03C26689033E8B55B889530283C306E90C010000900000000000000000000000#

add tmp1, 30  //5A0

mov [tmp1], #0000000090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F851A040000837DBC01751EB83BC000#

add tmp1, 30  //5D0

mov [tmp1], #0033D23E8A55B0C0E2033E0255B886F203C266890383C302EB4B3E8B55B881FA80000000731AB883F8000033C93E8A4D#

add tmp1, 30  //600

mov [tmp1], #B086E903C166890388530283C303EB258B4DB083F900750BC6033D89530183C305EB12B881F8000086E903C166890389#

add tmp1, 30  //630

mov [tmp1], #530283C306EB59909090909090909090#

add tmp1, 30  //660

add tmp1, 30  //690

mov [tmp1], #895DAC5B5F33C08A45D03A434C0F851D0300009090909090909090909090909033C08A46048D04408BD38B5482688BC7#

add tmp1, 30  //6C0

mov [tmp1], #FFD23C06740E3C07740E3C0A740E3C0B740EEB0EB00AEB0AB00BEB06B006EB02B007508B83E00000000345EC0345908B#

add tmp1, 30  //6F0

mov [tmp1], #55AC8BCA2BC87826F7D14980F980720B5883C0708802884A01EB3D5886E0050F80000066890283E904894A02EB2AF7D1#

add tmp1, 30  //720

mov [tmp1], #4181F981000000770E5883C070880283E902884A01EB115886E0050F80000066890283E906894A02E973020000000000#

add tmp1, 30  //750

mov [tmp1], #0000000000000000000000000090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B#

add tmp1, 30  //780

mov [tmp1], #5482688BC7FFD28BC88B7DDC8B3F8B1F83C3063D80000000771433C08A45EB86E00583C00000668903884B02EB1E33C0#

add tmp1, 30  //7B0

mov [tmp1], #8A45EB3C007508C60305894B01EB0D86E00581C00000668903894B02E9EF010000000000000000000000000000000090#

add tmp1, 30  //7E0

mov [tmp1], #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B5482688BC7FFD28845EA8B7DDC8B3F8B#

add tmp1, 30  //810

mov [tmp1], #1F33C08A45EBC1E0030245EA86E0058BC0000066894306E9940100000000000000000000000000000000000000000000#

add tmp1, 30  //840

mov [tmp1], #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B5482688BC7FFD28BC8034D908B7DDC8B#

add tmp1, 30  //870

mov [tmp1], #3F8B1F83C306807DEB00741733C08A45EBC0E00386E00589050000668903894B02EB06C603A3894B01E9220100000000#

add tmp1, 30  //8A0

mov [tmp1], #0000000000000090909090909090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B#

add tmp1, 30  //8D0

mov [tmp1], #5482688BC7FFD28845EA33C08A46078D04408BD38B5482688BC7FFD28BC88B7DDC8B3F8B1F83C306807DEB04743B3D80#

add tmp1, 30  //900

mov [tmp1], #000000771A33C08A45EAC0E0030245EB86E00589400000668903884B02EB5533C08A45EAC0E0030245EB86E005898000#

add tmp1, 30  //930

mov [tmp1], #00668903894B02EB3B3D80000000771B33C08A45EAC0E00386E00589440000668903C6430224884B03EB1933C08A45EA#

add tmp1, 30  //960

mov [tmp1], #C0E00386E00589840000668903C6430224894B03EB4A90909000000000000000#

add tmp1, 30  //990

mov [tmp1], #0000000000000000000000000000009053568BF28BD83B731C7602EB338BC6F7ABE40000000343585E5BC39000000000# 

add tmp1, 30  //9C0

mov [tmp1], #8B7DDC8B0783C004833800740A8907FF4704E92AF6FFFF6190900000000000009090#







mov tmp1, dllimgbase

add tmp1, 2     //2

mov [tmp1], EBXaddr

mov tmp2, dllimgbase

add tmp2, 0B00            //dllimgbase+0B00

add tmp1, 5    //7

mov [tmp1], tmp2

add tmp1, 5    //C

mov [tmp1], tmp2

mov [tmp2], lastsecbase    //loc for storing sc after API

add tmp1, 1A   //26

eval "{func1}"

asm tmp1, $RESULT

add tmp1, 15   //3B

eval "{func2}"

asm tmp1, $RESULT

add tmp1, 8   //43

mov [tmp1], ori1

add tmp1, 0C  //4F

eval "{func3}"

asm tmp1, $RESULT

cmp newver, 1

je lab70_1

mov tmp1, dllimgbase

add tmp1, 54  //54

mov [tmp1], #83C40490#



lab70_1:

mov tmp1, dllimgbase

mov tmp2, tmp1

mov tmp3, tmp1

mov tmp4, tmp1

mov tmp5, tmp1

add tmp5, A90        //dllimgbase+A90

mov [tmp5], imgbasefromdisk

add tmp3, 1F8        //cmp type 0

bp tmp3

add tmp4, 1FE        //cmp type 1

bp tmp4

add tmp1, 9d8        //9d8   

bp tmp1              //end point

add tmp2, 9E0        //error point 

bp tmp2

mov eip, dllimgbase

eob lab71

eoe lab71

esto



lab71:

cmp eip, tmp1

je lab72

cmp eip, tmp2

je lab73

cmp eip, tmp3

je lab74

cmp eip, tmp4

je lab75

jmp error



lab72:

bc tmp1

bc tmp2

bc tmp3

bc tmp4

//msg "Fix advanced IAT protection OK!"

//pause

mov eip, tmp9            //restore eip

jmp lab76



lab73:

msg "Something error"

//pause

jmp end



lab74:

msg "cmp type 0"

pause

eob lab71

eoe lab71

esto



lab75:

msg "cmp type 1"

pause

eob lab71

eoe lab71

esto



lab76:

fill dllimgbase, E10, 00

fill lastsecbase, lastsecsize, 00



mov tmp1, type3count

add tmp1, E8count

mov tmp2, [EBXaddr+18]

cmp tmp1, tmp2

je lab78

msg "Warning, there are some API not resolved!"

//pause



lab78:

mov caller, "nil"

mov tmp1, [esp]

mov tmp1, dllimgbase

add tmp1, 1000

find tmp1, #C6463401#    //search "mov byte[esi+34], 1"

mov tmp2, $RESULT

cmp tmp2, 0

je error

find tmp2, #68????????68????????68#

mov transit2, $RESULT

cmp transit2, 0

je error

//log transit2

bp transit2

find tmp1, #01049?43#     //search "add dword ptr [edi+ebx*4],edx" "inc ebx" 

mov tmp2, $RESULT

cmp tmp2, 0

jne lab80

find tmp1, #01148740#     //search "add dword ptr [edi+eax*4],edx" "inc eax"

mov tmp2, $RESULT

cmp tmp2, 0

jne lab80

find tmp1, #3137300D0A#

cmp $RESULT, 0

jne lab80_1

mov tmp1, [esp]

mov tmp2, [tmp1]

cmp tmp2, 68

jne lab80_1

mov tmp2, [tmp1+5], 1

cmp tmp2, 68

jne lab80_1

mov tmp2, [tmp1+6]

cmp tmp2, tmp1

jne lab80_1

//Internal VM decrypt

mov VMstartaddr, tmp1

add tmp1, 20

find tmp1, #68????????68????????68#

mov VMlength, $RESULT

cmp VMlength, 0

je lab80_1

sub VMlength, VMstartaddr

cmp VMlength, 900

ja error

log VMlength

cmp VMcodeloc, 0

jne lab78_1

alloc 10000

mov VMcodeloc, $RESULT



lab78_1:

log VMcodeloc

lm VMcodeloc, 4000, "C:\Asprvm8s.bin"

mov tmp1, VMcodeloc

mov tmp2, VMcodeloc

add tmp2, 3f00

add tmp1, 2

mov [tmp1], tmp2

add tmp1, 2821

asm tmp1, "call GetCurrentProcessId"

add tmp1, 56

asm tmp1, "call GetCurrentProcessId"



//copy code

mov tmp1, VMcodeloc

add tmp1, 4500         //VMcodeloc+4500

mov [tmp1], [VMstartaddr], VMlength

coe

cob

mov tmp1, VMcodeloc

mov tmp2, [VMstartaddr+B]

add tmp1, 9                  //VMcodeloc+9

mov [tmp1], tmp2

mov tmp2, [VMstartaddr+6]

add tmp1, 7                  //VMcodeloc+10

mov [tmp1], tmp2

add tmp1, 2CCE               //VMcodeloc+2CDE--end point

bp tmp1

mov tmp9, eip

mov eip, VMcodeloc

run

cmp eip, tmp1

jne error

bc tmp1

mov eip, tmp9



find dllimgbase, #01049?43#     //search "add dword ptr [edi+ebx*4],edx" "inc ebx" 

mov tmp2, $RESULT

cmp tmp2, 0

jne lab80

find dllimgbase, #01148740#     //search "add dword ptr [edi+eax*4],edx" "inc eax"

mov tmp2, $RESULT

cmp tmp2, 0

je lab80_1



lab80:

add tmp2, 9

bp tmp2



lab80_1:

eob lab80_2

eoe lab80_2

esto



lab80_2:

cmp eip, tmp2

je lab81

cmp eip, transit2

je lab83

esto



lab81:

bc tmp2

mov tmp1, eip

mov tmp2, [tmp1+1]

and tmp2, 0F

cmp tmp2, 6

je lab81_1

cmp tmp2, 7

je lab81_2

msg "Unknown Asprotect API register"

jmp error



lab81_1:

mov AsprAPIloc, esi

jmp lab81_3



lab81_2:

mov AsprAPIloc, edi



lab81_3:

mov count, 40             //Need free space 40 bytes for 1.3x

call FindEMUAddr

//log EmuAddr

mov tmp1, eip

mov tmp1, [tmp1-3], 1

cmp tmp1, 0E

je lab81_8

cmp tmp1, 0F

je lab81_8

msg "Unknown Asprotect API "

//pause

jmp error



lab81_8:

cmp isdll, 1

jne lab81_9

cmp imgbasefromdisk, imgbase

je lab81_9

mov tmp3, tmp1

mov tmp4, AsprAPIloc



loop12:

cmp tmp3, 0

je loop12_2

mov tmp2, [tmp4]

cmp tmp2, 0

je loop12_1

mov tmp5, tmp2

sub tmp2, imgbase

eval "{tmp5}   {tmp2}(RVA)"

log $RESULT, "Aspr SDK API  "



loop12_1:

sub tmp3, 1

add tmp4, 4

jmp loop12



loop12_2:

mov tmp3, tmp1

shl tmp3, 2

fill AsprAPIloc, tmp3, 00

jmp lab81_16



lab81_9:

//clear dip 

mov tmp1, AsprAPIloc

mov [tmp1], 0

add tmp1, 2c

mov [tmp1], 0



//add breakpoint

mov tmp5, 0

mov tmp6, 0

mov tmp7, 0

mov tmp8, 0

mov tmp1, AsprAPIloc

add tmp1, 4

mov tmp5, [tmp1]        //GetRegistrationInformation

cmp tmp5, 0

je lab81_13

mov tmp3, 0

find tmp5, #C20400#, 100

mov tmp2, $RESULT

cmp tmp2, 0

je lab81_9_2

mov tmp1, tmp5



lab81_9_0:

findop tmp1, #E8????????#

mov tmp1, $RESULT

cmp tmp1, tmp2

ja lab81_10

mov tmp3, [tmp1+1]

add tmp3, tmp1

add tmp3, 5

cmp tmp3, lastsecbase

ja lab81_9_1

cmp tmp3, 1stsecbase

jb lab81_9_1

mov tmp4, [tmp3]

cmp tmp4, 0D285C931

je lab81_9_2

mov tmp4, [tmp3+2]

cmp tmp4, D88BF28B

jne lab81_9_1

mov tmp4, [tmp3+6]

cmp tmp4, D38BC68B

je lab81_9_2



lab81_9_1:

add tmp1, 5

jmp lab81_9_0



lab81_9_2:

mov caller, "chkGRI"



lab81_10:

bp tmp5



lab81_13:

mov tmp1, AsprAPIloc

add tmp1, 10            //10

mov tmp6, [tmp1]        //GetHardwareID

cmp tmp6, 0

je lab81_14

bp tmp6



lab81_14:

mov tmp1, AsprAPIloc

add tmp1, 30            //30

mov tmp7, [tmp1]        //GetEncryptProc

cmp tmp7, 0

je lab81_15

bp tmp7



lab81_15:

mov tmp1, AsprAPIloc

add tmp1, 34            //34

mov tmp8, [tmp1]        //GetDecryptProc

cmp tmp8, 0

je lab81_16

bp tmp8



lab81_16:

eoe lab82

eob lab82

esto



lab82:

cmp eip, tmp5

je 13xGRI

cmp eip, tmp6

je 13xGHI

cmp eip, tmp7

je 13xGEP

cmp eip, tmp8

je 13xGDP

cmp eip, transit2

je lab90

esto



13xGRI:

bc tmp5

scmp caller, "chkGRI"

jne 13xGRI_2

coe

cob

mov tmp2, [esp]

mov tmp1, esp

add tmp1, 4

mov tmp3, EmuAddr

add tmp3, 4

mov [tmp1], tmp3     //put blank first

eval "eip == 0{tmp2}"

tocnd $RESULT



13xGRI_1:

mov caller, "nil"

jmp 13xGRI_3



13xGRI_2:

mov tmp2, EmuAddr

add tmp2, 4

mov tmp1, esp

add tmp1, 4

mov [tmp1], tmp2



13xGRI_3:

mov [EmuAddr], #04000000566F6C58#               //"VolX"

log EmuAddr, "GetRegistrationInformation  "

add EmuAddr, 10

//msg "13xGRI"

//pause

eoe lab82

eob lab82

esto



13xGHI:

bc tmp6

mov [EmuAddr], #31323334353637382D34343434#        //"12345678-4444"

mov tmp1, esp

add tmp1, 4

mov [tmp1], EmuAddr

log EmuAddr, "GetHardwareID  "

add EmuAddr, 10

//msg "13xGHI"

//pause

eoe lab82

eob lab82

esto



13xGEP:

bc tmp7

mov tmp1, esp

add tmp1, 4

mov [tmp1], EmuAddr

log EmuAddr, "GetEncryptProc  "

add EmuAddr, 10

//msg "13xGEP"

//pause

mov tmp1, AsprAPIloc

add tmp1, 30

mov [tmp1], 0

eoe lab82

eob lab82

esto



13xGDP:

bc tmp8

mov [EmuAddr], #C3#

mov tmp1, esp

add tmp1, 4

mov [tmp1], EmuAddr

log EmuAddr, "GetDecryptProc  "

//msg "13xGDP"

//pause

mov tmp1, AsprAPIloc

add tmp1, 34

mov [tmp1], 0

eoe lab82

eob lab82

esto



//Fix VB Aspr SDK API

lab83:

cmp isdll, 1

je lab90

cmp DFCaddr, 0

je lab90

GMEMI iatendaddr, MEMORYBASE

mov tmp1, $RESULT

cmp tmp1, 0

je error

cmp tmp1, 1stsecbase

jne lab90

bc transit2

cob

coe

mov tmp1, dllimgbase

mov [tmp1], #609CB8FF000000BF00104000B900100D00F2AEE376803F2575F78B5F0181FB0010400072EC81FB00204D0077E48B1381#

add tmp1, 30

mov [tmp1], #FA19A0006675DA8BF74E909090909090BD0002EF00BF00104000B900100D00B8B8000000F2AEE333393775F8807FFA68#

add tmp1, 30

mov [tmp1], #75F28B5FFB8B5304833A1077E7837A040075E18BDF83EB11803BA175D7895D008B1A4B895D0483C508EBC99D61909000#

mov tmp1, dllimgbase

add tmp1, 8

mov [tmp1], 1stsecbase

add tmp1, 5         //0D

mov [tmp1], 1stsecsize

add tmp1, 12        //1F

mov [tmp1], 1stsecbase

add tmp1, 8         //27

mov tmp2, 1stsecbase

add tmp2, 1stsecsize

mov [tmp1], tmp2

add tmp1, 0A        //31

mov [tmp1], DFCaddr

add tmp1, 10        //41

mov [tmp1], thunkdataloc

add tmp1, 5         //46

mov [tmp1], 1stsecbase

add tmp1, 5         //4B

mov [tmp1], 1stsecsize

add tmp1, 42        //8D -- end point

bp tmp1

mov tmp7, eip

mov eip, dllimgbase

run

cmp eip, tmp1

jne error

bc tmp1

mov eip, tmp7

fill dllimgbase, 100, 00

mov count, 160            //Need free space 160 bytes for VB

call FindEMUAddr



lab84:

add EmuAddr, 40       //put extra space

mov tmp5, 0           //counter

mov tmp1, AsprAPIloc

add tmp1, 4

mov tmp6, thunkdataloc

mov caller, "lab84"

jmp lab46_2



lab85:

mov caller, "nil"

fill thunkdataloc, 100, 00



lab90:

bc transit2

cmp VMstartaddr, 0

je lab90_1

mov tmp1, [VMcodeloc+4500]

cmp tmp1, 0

je lab90_1

mov tmp1, VMcodeloc

add tmp1, 4514                   //skip first 14 bytes

mov tmp2, VMstartaddr

add tmp2, 14                     //skip first 14 bytes

mov tmp3, VMlength

sub tmp3, 14                     //skip first 14 bytes

mov [tmp2], [tmp1], tmp3

fill VMcodeloc, 5000, 00

mov VMstartaddr, 0



lab90_1:

cob

coe

mov caller, "nil"

mov tmp1, dllimgbase

add tmp1, 1000

find tmp1, #3135330D0A#    //search ASCII"153"

mov tmp2, $RESULT

sub tmp2, 40

find tmp2, #5?5?C3#

mov tmp3, $RESULT

cmp tmp3, 0

je error

add tmp3, 2

rtr

bp tmp3

eob lab91

eoe lab91

esto



lab91:

cmp eip, tmp3

je lab92

esto



lab92:

bc tmp3

mov tmp1, dllimgbase

add tmp1, 1000

find tmp1, #3130330D0A#     //search ASCII"103"

mov tmp2, $RESULT

cmp tmp2, 0

je wrongver

find tmp2, #8D00C3#        //search "lea eax,[eax]" "ret"

mov tmp1, $RESULT

cmp tmp1, 0

je wrongver

bphws tmp1, "x"

eob lab93

eoe lab93

esto



lab93:

cmp eip, tmp1

je lab94

esto



lab94:

bphwc tmp1

cob

coe

find eip, #C700E1000000#

mov tmp1, $RESULT

cmp tmp1, 0

jne lab95

find eip, #C600E1#

mov tmp1, $RESULT

cmp tmp1, 0

je error



lab95:

find tmp1, #A1????????894?#  //search "mov eax, [xxxxxxxx]","mov [e?p+??],reg32"

mov tmp3, $RESULT

cmp tmp3, 0

je error

mov tmp2, 0

mov tmp2, [tmp3+1]

mov tmp1, [tmp2]

cmp tmp1, 0

jne lab99



lab98:

rtr

sti 

GMEMI eip, MEMORYOWNER

mov tmp3, $RESULT

mov tmp2, lastsecbase

add tmp2, lastsecsize

cmp tmp3, tmp2

ja lab98_1

cmp 1stsecbase, tmp3

jb error

GMEMI eip, MEMORYSIZE

mov tmp1, $RESULT

add tmp3, tmp1

eval "eip > 0{tmp3}"

jmp lab98_2



lab98_1:

eval "eip < 0{tmp3}"



lab98_2:

ticnd $RESULT

mov tmp1, eip

sub tmp1, imgbase

mov OEP_rva, tmp1

cmp sdksccount, 0

je lab141         //Go to dump file

mov tmp3, eip

jmp lab104



lab99:

bp tmp1

eob lab99_1

eoe lab99_1

esto



lab99_1:

cmp eip, tmp1

je lab99_2

esto



lab99_2:

bc tmp1

mov OEPscaddr, eip

find eip, #0000000000000000#

mov patchaddr, $RESULT

mov tmp1, patchaddr

add tmp1, 8

mov tmp4, 10



loop16:

cmp tmp4, 0

je notfound

mov tmp2, [tmp1], 1

cmp tmp2, 0

jne lab100

add tmp1, 1

sub tmp4, 1

jmp loop16



lab100:

add tmp1, 3

mov tmp2, [tmp1], 1

cmp tmp2, 0

jne error

sub tmp1, b

mov vcrefend, tmp1

sub tmp1, 4

mov tmp4, 200

mov count, 0



loop17:

cmp tmp4, 0

je notfound

mov tmp2, [tmp1]

cmp tmp2, 00000000

je lab101

sub tmp1, 8

sub tmp4, 8

jmp loop17



lab101:

cmp count, 1

je lab102

add count, 1

sub tmp1, 8

sub tmp4, 8

jmp loop17



lab102:

mov tmp4, tmp1

add tmp4, 4

mov vcrefstart, tmp4



loop18:

cmp tmp4, vcrefend

jae lab103

mov tmp1, [tmp4]

add tmp1, imgbase

eval "{tmp1}"

add tmp4, 4

mov tmp2, [tmp4]

add tmp2, OEPscaddr             //tmp2== address to put comment

cmt tmp2, $RESULT

add tmp4, 4

jmp loop18



lab103:

mov tmp1, vcrefend

sub tmp1, vcrefstart

mov sttablesize, tmp1

dm vcrefstart, sttablesize, "st_table.bin"

GCMT eip

mov tmp1, $RESULT

ATOI tmp1

mov tmp2, $RESULT

sub tmp2, imgbase

mov OEP_rva, tmp2

mov tmp3, $RESULT



lab104:

mov tmp1, lastsecbase

add tmp1, lastsecsize



lab106_1:

mov virtualsec, tmp1

mov tmp1, 0

cmp SDKsize, 0

je lab106_2

//With SDK stolen section

mov newphysecsize, SDKsize



lab106_2:

cmp OEPscaddr, 0

je lab106_3

//With OEP stolen code

GMEMI OEPscaddr, MEMORYSIZE

mov tmp2, $RESULT

add newphysecsize, tmp2



lab106_3:

cmp 55sc, 1

jne lab106_4

//wz std function

add newphysecsize, 1000 



lab106_4:

add newphysecsize, 1000     //extra 1000 bytes

alloc newphysecsize

mov newphysec, $RESULT

//log newphysec

cmp dataloc, 0

jne lab106_5

alloc 4000

mov dataloc, $RESULT

//log dataloc

jmp lab106_6



lab106_5:

fill dataloc, 4000, 00      //clear data



lab106_6:

cmp OEPscaddr, 0

je lab121



//analyse OEP stolen code

find dllimgbase, #33340D0A#

mov tmp1, $RESULT

cmp tmp1, 0

je error

find tmp1, #FF35????????68#

mov tmp2, $RESULT

cmp tmp2, 0

je error

mov tmp1, [tmp2+2]

mov scstk, [tmp1]

//log scstk



//chk free space

mov patchaddr, vcrefend

add patchaddr, 20

and patchaddr, fffffff0

//log patchaddr

GMEMI OEPscaddr, MEMORYSIZE

mov tmp1, $RESULT

GMEMI OEPscaddr, MEMORYOWNER

mov tmp2, $RESULT

mov tmp3, tmp1



//Assume every 1000 bytes will need A0 bytes of free space

shr tmp3, 0C

mov tmp4, tmp3

shl tmp3, 7

shl tmp4, 5

add tmp3, tmp4

//log tmp3, "Free space need = "

add tmp1, tmp2

sub tmp1, patchaddr

//log tmp1, "Free space exist = "

cmp tmp1, tmp3

ja lab107

mov patchaddr, lastsecbase

jmp lab108



lab107:

mov patchinsamesec, 1



lab108:

call FillSCPatch



lab109:

mov tmp1, dllimgbase

mov tmp2, dataloc

add tmp2, 800     //dataloc+800

mov tmp3, tmp1

add tmp3, 0D00    //dllimgbase+D00

add tmp1, 5       //5

mov [tmp1], tmp3

add tmp1, 5       //0A

mov [tmp1], scstk

add tmp1, 0D      //17

mov [tmp1], tmp2

add tmp1, 2A      //41

mov [tmp1], vcrefstart

add tmp1, 19      //5A

mov [tmp1], tmp2

add tmp1, 7       //61

mov [tmp1], patchaddr

add tmp1, 5       //66

mov [tmp1], scstk

add tmp1, 77F     //7E5

mov [tmp1], vcrefstart

add tmp1, d       //7F2

mov [tmp1], vcrefend

mov tmp4, dllimgbase

add tmp4, C9C

mov tmp1, dataloc

add tmp1, 1000

mov [tmp4], tmp1

add tmp4, 4

mov [tmp4], dataloc

mov tmp4, dllimgbase

add tmp4, 7D9             //end point

bp tmp4

mov tmp5, tmp4

add tmp5, 7               //error point 7E0

bp tmp5

mov tmp7, eip             //save eip

mov eip, dllimgbase

eob lab110

eoe lab110

esto



lab110:

cmp eip, tmp5

je patcherr

cmp eip, tmp4

je lab111

jmp error



lab111:

bc tmp4

bc tmp5

mov eip, tmp7

mov tmp1, dllimgbase

add tmp1, CAC

mov patchendaddr, [tmp1]

//msg "OEP stolen code analyze OK!"

//pause

fill dllimgbase, 0d00, 00      //cleaning location storing call xxxxxxxx address

mov curzeroVA, eip

mov newzeroVA, newphysec

mov virzeroVA, virtualsec

mov tmp1, vcrefend

mov tmp2, [tmp1+0C]

add tmp2, OEPscaddr

mov findendaddr, tmp2

mov caller1, "lab111"

jmp lab160                 //copy code to new section



lab113:

mov caller1, "nil"

cmp patchinsamesec, 1

je lab121

fill lastsecbase, lastsecsize, 00

mov patchinsamesec, 0      //restore flag



//Analyse SDK stolen code

lab121:

cmp sdksccount, 0

je lab141

mov count, 0           //counter for fixed sdk stolen code section

mov tmp1, [xtrascloc]

cmp tmp1, 0

je lab150



lab122:

mov tmp1, dllimgbase

add tmp1, EF0           //dllimgbase+EF0

mov [tmp1], xtrascloc



lab123:

mov tmp1, dllimgbase

add tmp1, EF0

mov tmp4, [tmp1]

mov scstk, [tmp4]

cmp scstk, 0

je lab150

//log scstk

add tmp4, 4

mov [tmp1], tmp4          //address point to next stolen code section  

mov sdkscaddr, [scstk+18]

cmp sdkscaddr, 0

je lab131

log sdkscaddr, "SDK stolen code section address = "

find sdkscaddr, #0000000000000000#

mov findendaddr, $RESULT

add findendaddr, 8

mov patchaddr, findendaddr

add patchaddr, 10

and patchaddr, fffffff0

//log patchaddr



//Check if the freespace is sufficinet

GMEMI findendaddr, MEMORYOWNER

mov tmp1, $RESULT

GMEMI patchaddr, MEMORYOWNER

mov tmp2, $RESULT

cmp tmp1, tmp2

jne lab124

GMEMI findendaddr, MEMORYSIZE

mov tmp1, $RESULT

//log tmp1, "Section size = "

mov tmp3, tmp1



//Assume every 1000 bytes will need C0 bytes of free space

shr tmp3, 0C

mov tmp4, tmp3

shl tmp3, 7

shl tmp4, 6

add tmp3, tmp4

//log tmp3, "Free space need = "

add tmp1, tmp2

sub tmp1, patchaddr

//log tmp1, "Free space exist = "

cmp tmp1, tmp3

ja lab125



lab124:

mov patchaddr, lastsecbase

mov patchinsamesec, 0

jmp lab126



lab125:

mov patchinsamesec, 1



lab126:

call FillSCPatch



lab127:

mov tmp1, dllimgbase

mov tmp2, dataloc

add tmp2, 800     //dataloc+800

mov tmp3, tmp1

add tmp3, 0D00    //dllimgbase+D00

add tmp1, 5       //5

mov [tmp1], tmp3

add tmp1, 5       //0A

mov [tmp1], scstk

add tmp1, 0D      //17

mov [tmp1], tmp2

add tmp1, 2A      //41

mov [tmp1], findendaddr

add tmp1, 19      //5A

mov [tmp1], tmp2

add tmp1, 7       //61

mov [tmp1], patchaddr

add tmp1, 5       //66

mov [tmp1], scstk

add tmp1, A7      //10D

mov [tmp1], #18#

add tmp1, 6D7     //7E4

mov [tmp1], #C390909090#

mov tmp4, dllimgbase

add tmp4, C9C

mov tmp1, dataloc

add tmp1, 1000

mov [tmp4], tmp1

add tmp4, 4

mov [tmp4], dataloc

mov tmp4, dllimgbase

add tmp4, 7D9             //end point

bp tmp4

mov tmp5, tmp4

add tmp5, 7               //error point 7E0

bp tmp5

mov tmp7, eip             //save eip

mov eip, dllimgbase

eob lab128

eoe lab128

esto



lab128:

cmp eip, tmp5

je patcherr

cmp eip, tmp4

je lab129

jmp error



lab129:

bc tmp4

bc tmp5

mov eip, tmp7        //restore eip

//msg "SDk section analyze OK!"

//pause

mov patchendaddr, [dllimgbase+0CAC]



lab130:

add count, 1

fill dllimgbase, 0d00, 00      //cleaning location storing call xxxxxxxx address



lab131:

mov curzeroVA, sdkscaddr



lab132:

cmp newpatchaddr, 0        //1st stolen code section ?

jne lab133

mov virzeroVA, virtualsec

mov newzeroVA, newphysec

jmp lab134



lab133:

mov tmp1, newpatchendaddr

and tmp1, 0FFFFFF00

add tmp1, 200

mov newzeroVA, tmp1

sub tmp1, newphysec       //offset

add tmp1, virtualsec

mov virzeroVA, tmp1 



lab134: 

mov caller1, "lab134"

mov eip, tmp7

jmp lab160             //move code to new section



lab135:

mov caller1, "nil"



lab137:

fill dataloc, 4000, 00       //clear data

cmp patchinsamesec, 1

je lab138

fill lastsecbase, lastsecsize, 00   //clear last sec



lab138:

mov tmp4, [dllimgbase+EF0]

mov scstk, [tmp4]

//log scstk

cmp scstk, 0                 //Process all SDK section with scstk ?

jne lab123

//Process SDK section without scstk

mov tmp9, newpatchendaddr

mov tmp1, dllimgbase

add tmp1, 0E00

mov tmp8, xtrascloc

add tmp8, 80

mov [tmp1], tmp8



lab139:

mov tmp1, dllimgbase

add tmp1, 0E00

mov tmp8, [tmp1]

mov tmp6, [tmp8]

cmp tmp6, 0

je lab141

and tmp9, 0FFFFFF00

add tmp9, 200           

mov newzeroVA, tmp9

sub tmp9, newphysec       //offset

add tmp9, virtualsec

mov virzeroVA, tmp9

mov curzeroVA, [tmp8+4]

mov sdkscaddr, [tmp8+4]

find curzeroVA, #000000000000000000000000#

mov tmp4, $RESULT

cmp tmp4, 0

je error         

sub tmp4, curzeroVA       //size to copy 

mov tmp1, dllimgbase

mov [tmp1], #609CBE0039F600BF00296900B990000000F2A49D619090000000000000000000#

mov tmp1, dllimgbase

add tmp1, 3

mov [tmp1], curzeroVA

add tmp1, 5      //8

mov [tmp1], newzeroVA

add tmp1, 5      //D

mov [tmp1], tmp4

add tmp1, 8      //15 --end point

bp tmp1

mov tmp7, eip

mov eip, dllimgbase

run

cmp eip, tmp1

jne error

bc tmp1

mov eip, tmp7

fill dllimgbase, 100, 00

mov tmp9, newzeroVA

add tmp9, tmp4

mov newpatchendaddr, tmp9

mov caller1, "lab139"

jmp lab180



lab140:

mov caller1, "nil"

mov tmp1, dllimgbase

add tmp1, 0E00

mov tmp8, [tmp1]

add tmp8, 8

mov [tmp1], tmp8

mov tmp9, newpatchendaddr

jmp lab139



lab141:

cmp 55sc, 0

je lab143

cmp newphysec, 0

jne lab141_1

alloc 1000

mov newphysec, $RESULT

mov newzeroVA, newphysec

mov tmp1, lastsecbase

add tmp1, lastsecsize

mov virtualsec, tmp1

mov virzeroVA, virtualsec

mov tmp1, 55dataloc

jmp lab141_2



lab141_1:

mov tmp1, newpatchendaddr

and tmp1, 0FFFFFF00

add tmp1, 200           

mov newzeroVA, tmp1

cmp virtualsec, 0

je error

sub tmp1, newphysec       //offset

add tmp1, virtualsec

mov virzeroVA, tmp1 

mov tmp1, 55dataloc



//process std function

lab141_2:

mov tmp2, [tmp1]

cmp tmp2, 0

je lab143

log tmp2, "Std function at "

mov tmp3, 0

mov tmp3, [tmp2], 1

cmp tmp3, 0e9

je lab141_3

cmp tmp3, 68

jne error

mov tmp4, [tmp2+1]

jmp lab141_4



lab141_3:

GCI tmp2, DESTINATION

mov tmp4, $RESULT



lab141_4:

find tmp4, #0000000000000000#

mov tmp5, $RESULT

cmp tmp5, 0

je error

sub tmp5, tmp4

mov [newzeroVA], [tmp4], tmp5

cmp tmp3, 0e9

je lab141_5

cmp tmp3, 68

jne error

eval "push 0{virzeroVA}"

asm tmp2, $RESULT

jmp lab141_6



lab141_5:

eval "jmp 0{virzeroVA}"

asm tmp2, $RESULT



lab141_6:

add newzeroVA, tmp5

add newzeroVA, 20

add virzeroVA, tmp5

add virzeroVA, 20

add tmp1, 4

jmp lab141_2 



lab143:

cmp newphysec, 0

je lab144

mov tmp1, lastsecbase

add tmp1, lastsecsize

cmp tmp1, virtualsec

je lab144

eval "All_{virtualsec}.bin"

DM newphysec, newphysecsize, $RESULT



lab144:

log iatstartaddr, "Address of IAT = "

log iatstart_rva, "RVA of IAT = "

log iatsize, "Size of IAT = "

mov tmp3, OEP_rva

add tmp3, imgbase

GPI PROCESSNAME

mov tmp6, $RESULT

cob

coe

mov tmp1, dllimgbase

mov [tmp1], #609C546A4068001000006800004000E88A160577B80002400033D2668B50068BF081C600010000B9080000008BFE83C7#

add tmp1, 30         //30

mov [tmp1], #08F2A4664A6683FA00740583C620EBE783C618C70661737072C7460800200000C7460C00003D01C7461000200000C746#

add tmp1, 30         //60

mov [tmp1], #1400003D01C74624400000E066FF4006814050002000009D6190900000000000#

mov tmp1, dllimgbase

add tmp1, 0B

mov [tmp1], imgbase

add tmp1, 4     //0F

asm tmp1, "call VirtualProtect"

add tmp1, 6     //15

mov [tmp1], signVA

cmp newphysec, 0      //with stolen code section?

je lab145

mov tmp4, lastsecbase

add tmp4, lastsecsize

cmp tmp4, virtualsec

jne lab145

add tmp1, 37    //4C

mov [tmp1], newphysecsize

mov tmp4, lastsecbase

add tmp4, lastsecsize 

sub tmp4, imgbase

add tmp1, 7     //53

mov [tmp1], tmp4

add tmp1, 7     //5A

mov [tmp1], newphysecsize

add tmp1, 7     //61

mov [tmp1], tmp4

add tmp1, 12    //73

mov [tmp1], newphysecsize

add tmp1, 6     //79 -- end point

jmp lab145_1



lab145:

mov tmp1, dllimgbase

add tmp1, 40

mov [tmp1], #9D619090#

add tmp1, 2     //42 -- end point



lab145_1:

bp tmp1

mov tmp7, eip

mov eip, dllimgbase

eob lab145_2

eoe lab145_2

run



lab145_2:

cmp eip, tmp1

je lab145_3

jmp error



lab145_3:

bc tmp1

mov eip, tmp7

fill dllimgbase, 100, 00

mov tmp1, signVA

add tmp1, 3C             //signVA+3C -- FileAlignment

mov [tmp1], 1000

add tmp1, 18             //signVA+54 -- SizeOfHeaders

mov [tmp1], 1000

cmp isdll, 0

je lab146

mov tmp4, 0

mov tmp2, reloc_rva

add tmp2, imgbase



loop19:

mov tmp5, [tmp2+4]

cmp tmp5, 0

je lab145_4

add tmp4, tmp5

add tmp2, tmp5

jmp loop19

 

lab145_4:

mov reloc_size, tmp4

add tmp1, 4C             //signVA+A0 -- RVA of Relocation Table

mov [tmp1], reloc_rva

add tmp1, 4              //signVA+A4 -- Size of Relocation Table

mov [tmp1], reloc_size

log reloc_rva, "RVA of Relocation = "

log reloc_size, "Size of Relocation = "

eval "de_{tmp6}.dll"

mov tmp5, $RESULT

log tmp3, "Address of OEP = "

log OEP_rva, "RVA of OEP = "

mov tmp1, lastsecbase

add tmp1, lastsecsize

sub tmp1, imgbase

dm imgbase, tmp1, tmp5      //dump file

cmp newphysec, 0            //with stolen code section?

je lab147

mov tmp1, lastsecbase

add tmp1, lastsecsize

cmp tmp1, virtualsec

jne lab147

dma newphysec, newphysecsize, tmp5   //add stolen code section

jmp lab147



lab146:

add tmp1, 4C             //signVA+A0 -- RVA of Relocation Table

mov [tmp1], 0

add tmp1, 4              //signVA+A4 -- Size of Relocation Table

mov [tmp1], 0

eval "de_{tmp6}.exe"

mov tmp5, $RESULT

log tmp3, "Address of OEP = "

log OEP_rva, "RVA of OEP = "

mov tmp1, lastsecbase

add tmp1, lastsecsize

sub tmp1, imgbase

dm imgbase, tmp1, tmp5      //dump file

cmp newphysec, 0            //with stolen code section?

je lab147

mov tmp1, lastsecbase

add tmp1, lastsecsize

cmp tmp1, virtualsec

jne lab147

dma newphysec, newphysecsize, tmp5   //add stolen code section



lab147:

cmp newphysec, 0

je lab148

mov tmp1, lastsecbase

add tmp1, lastsecsize

cmp tmp1, virtualsec

jne lab147_1

msg "There are stolen code, check IAT data in log window"

pause

jmp end



lab147_1:

msg "There are stolen code, add stolen code section first before rebuild IAT"

pause

jmp end



lab148:

msg "No stolen code, check IAT data in log window"

pause

jmp end



lab150:

msg "lab150"

pause

jmp end



//relocate Call command stolen code

lab160:

//log patchendaddr

mov tmp1, dllimgbase

mov [tmp1], #609CBE34027B02BF00007D01B922040000F2A4BD000259018B45008B0083F800741A8BD881EB3402FE008B530181C234#

add tmp1, 30

mov [tmp1], #D27E0189530183450004EBDC9D619090#

mov tmp1, dllimgbase

add tmp1, 3         //3

mov [tmp1], curzeroVA

add tmp1, 5         //8

mov [tmp1], newzeroVA

add tmp1, 5         //0D

mov tmp2, findendaddr

sub tmp2, curzeroVA         //bytes to copy

mov [tmp1], tmp2    

add tmp1, 7         //14

mov tmp2, dllimgbase

add tmp2, 200

mov [tmp1], tmp2

mov [tmp2], dataloc

add tmp1, 12        //26

mov tmp2, curzeroVA

sub tmp2, newzeroVA

mov [tmp1], tmp2

mov tmp1, dllimgbase

add tmp1, 2F         //2F

cmp curzeroVA, virtualsec

ja lab161

mov tmp2, virzeroVA

sub tmp2, curzeroVA

mov [tmp1], tmp2

mov tmp1, dllimgbase

add tmp1, 2D        //2D

mov [tmp1], #81EA#

jmp lab162



lab161:

mov tmp2, curzeroVA

sub tmp2, virzeroVA

mov [tmp1], tmp2



lab162:

coe

cob

mov tmp1, dllimgbase

add tmp1, 3E          //end point

mov tmp7, eip         //save eip

mov eip, dllimgbase

bp tmp1

run

cmp eip, tmp1

jne error

bc tmp1

mov eip, tmp7        //restore eip

fill dllimgbase, 500, 00

scmp caller1, "lab134"

je lab164_1



//copy and relocate jxx analysed code

//Decide new patch addr

//for Stolen code at OEP

lab163:

cmp patchinsamesec, 1

je lab163_1



lab163_1:

mov tmp1, findendaddr

sub tmp1, curzeroVA      //offset

add tmp1, newzeroVA

mov tmp2, tmp1

and tmp2, 0ff

cmp tmp2, 0

je lab164

and tmp1, 0FFFFFFF0

add tmp1, 20

jmp lab165



lab164:

and tmp1, 0FFFFFFF0

add tmp1, 10

jmp lab165



//for SDK section

lab164_1:

cmp patchinsamesec, 1

je lab164_2

mov tmp1, findendaddr

sub tmp1, curzeroVA

and tmp1, 0FFFFFFF0

add tmp1, 20

add tmp1, newzeroVA

jmp lab165



lab164_2:

mov tmp1, patchaddr

sub tmp1, curzeroVA      //offset

add tmp1, newzeroVA



lab165:

mov newpatchaddr, tmp1

//log newpatchaddr

mov tmp1, dllimgbase

mov [tmp1], #609CBD000DD900BE003ED800BF2018BD01B969000000F2A49090BE0010BE018B0683F8000F84C600000083F8030F844D#

add tmp1, 30         //30

mov [tmp1], #0000008B4DE08B460403C18B55DC8BDA2BD083EA058950018B460803C12BC383E80689430283C3068B460C03C12BC383#

add tmp1, 30         //60

mov [tmp1], #E80589430183C305895DDC83C610EBAF000000000000000000000000000000008B4DE08B460403C18B55DC8BDA2BD083#

add tmp1, 30         //90

mov [tmp1], #EA05895001608BF333D2668B1681E2FFF0000081FA0F800000740346EBEA807E06E975F78975DC618B4DE08B55DC8BDA#

add tmp1, 30         //C0

mov [tmp1], #8B460803C12BC383E80689430283C3068B460C03C12BC383E80589430183C305895DDC83C610E934FFFFFF0000000090#

add tmp1, 30         //F0

mov [tmp1], #9D619090#

mov tmp1, dllimgbase

mov tmp2, dllimgbase

add tmp2, 0D00

add tmp1, 3       //3

mov [tmp1], tmp2

add tmp1, 5       //8

mov [tmp1], patchaddr

add tmp1, 5       //0D

mov [tmp1], newpatchaddr

add tmp1, 5       //12

mov tmp3, patchendaddr

sub tmp3, patchaddr      //bytes to copy

mov [tmp1], tmp3

mov newpatchendaddr, tmp3

add newpatchendaddr, newpatchaddr

add tmp1, 9       //1B

mov tmp2, dataloc

add tmp2, 1000

mov [tmp1], tmp2

mov tmp2, dllimgbase

add tmp2, 0CDC

mov [tmp2], newpatchaddr

add tmp2, 4

mov [tmp2], newzeroVA

mov tmp1, dllimgbase

add tmp1, 0F2         //end point

mov tmp7, eip

mov eip, dllimgbase

bp tmp1

run

cmp eip, tmp1

jne error

bc tmp1

mov eip, tmp7

fill dllimgbase, D00, 00

fill dataloc, 4000, 00

scmp caller1, "lab134"

je lab180



lab166:

lm dataloc, sttablesize, "st_table.bin"

mov tmp1, dllimgbase

mov [tmp1], #609CBE0000BE01BB00004000B900906A008B0683F800741603C38B560403D18BFA2BF883EF0589780183C608EBE39D61#

add tmp1, 30

mov [tmp1], #90909000#

mov tmp1, dllimgbase

add tmp1, 3      //3

mov [tmp1], dataloc

add tmp1, 5      //8

mov [tmp1], imgbase

add tmp1, 5      //0D

mov [tmp1], virzeroVA

add tmp1, 23     //30 -- end point

mov tmp7, eip

mov eip, dllimgbase

bp tmp1

run

cmp eip, tmp1

jne error

bc tmp1

mov eip, tmp7

fill dllimgbase, 100, 00

fill dataloc, sttablesize, 00

jmp lab190



//For SDK stolen code

//relocate analysed patch code

lab180:

//log sdkscaddr

//log scstk

lm dataloc, jmptablesize, "jmptable.bin"

mov tmp9, dataloc



lab181:

mov tmp2, [tmp9]

cmp tmp2, 0

je error

mov tmp3, [tmp9+4]

add tmp3, imgbase

mov tmp4, [tmp3+1]

add tmp4, tmp3

add tmp4, 5

cmp tmp4, sdkscaddr

je lab182

add tmp9, tmp2

add tmp9, 04

jmp lab181



lab182:

mov tmp6, [tmp9]     //length

add tmp9, 04

mov tmp5, dataloc

add tmp5, 800



lab183:

cmp tmp6, 0

je lab189

mov tmp2, [tmp9]

mov [tmp5], tmp2

add tmp9, 4

add tmp5, 4

sub tmp6, 4

jmp lab183



lab189:

mov tmp1, dllimgbase

mov [tmp1], #609CBE0000BE01BB00004000B900906A008B0683F800741603C38B560403D18BFA2BF883EF0589780183C608EBE39D61#

add tmp1, 30

mov [tmp1], #90909000#

mov tmp1, dllimgbase

add tmp1, 3      //3

mov tmp3, dataloc

add tmp3, 800

mov [tmp1], tmp3

add tmp1, 5      //8

mov [tmp1], imgbase

add tmp1, 5      //0D

mov [tmp1], virzeroVA

add tmp1, 23     //30 -- end point

mov tmp7, eip

mov eip, dllimgbase

bp tmp1

run

cmp eip, tmp1

jne error

bc tmp1

mov eip, tmp7

fill dllimgbase, 100, 00

fill dataloc, 1000, 00



lab190:

scmp caller1, "lab111"

je lab113

scmp caller1, "lab134"

je lab135

scmp caller1, "lab139"

je lab140



error:

msg "Error!"

pause

jmp end



wrongver:

find dllimgbase, #0038310D0A#

mov tmp1, $RESULT

cmp tmp1, 0

je wrongver_1

msg "Unsupported Aspr version, probably packed with Aspr v1.31 or v2.0 alpha"

pause

jmp end



wrongver_1:

find dllimgbase, #0031350D0A#

mov tmp1, $RESULT

cmp tmp1, 0

je wrongver_2

msg "Unsupported Aspr version, probably packed with Aspr v1.2x"

pause

jmp end



wrongver_2:

msg "Unsupported Aspr version or it is not packed with Aspr?"

pause

jmp end



error45:

msg "Error 45!"

pause

jmp end



odbgver:

msg "This script work with ODbgscript 1.64 or above"

jmp end



notfound:

msg "Not found"

pause

jmp end



patcherr:

msg "Something error while trying to analyse stolen code"

pause



end:

ret 



//

//

//

//



ChkRelocSize:

find tmp1, #0000000000000000#

mov tmp2, $RESULT

sub tmp2, imgbase

sub tmp2, reloc_rva

mov tmp3, tmp2

and tmp3, 0F

mov tmp4, tmp3

shr tmp4, 2

shl tmp4, 2

cmp tmp4, tmp3

je ChkRelocSize_1

add tmp2, 2



ChkRelocSize_1:

ret



FindEMUAddr:

//find freespace

cob

coe

mov tmp1, dllimgbase

mov [tmp1], #609CB900040000B800000000BF90909000FDF3AFE30383C70483C704893D3000C9009D61909090000000000000000000#

add tmp1, D     //0D

mov tmp2, 1stsecbase

add tmp2, 1stsecsize

sub tmp2, 4

mov [tmp1], tmp2

add tmp1, 11    //1E

mov tmp2, dllimgbase

add tmp2, 30

mov [tmp1], tmp2

add tmp1, 6     //24 -- end point

bp tmp1

mov tmp3, eip

mov eip, dllimgbase

run

cmp eip, tmp1

jne error

bc tmp1

mov eip, tmp3

mov tmp2, [dllimgbase+30]

mov tmp3, tmp2

and tmp3, 0f

mov tmp4, 10

sub tmp4, tmp3

add tmp2, tmp4

add tmp2, 10

mov EmuAddr, tmp2

//log EmuAddr

fill dllimgbase, 34, 00

mov tmp1, 1stsecbase

add tmp1, 1stsecsize

cmp EmuAddr, tmp1

jae FindEMUAddr_3

sub tmp1, tmp2

cmp tmp1, count         //freespace compare with count bytes (2.xx=120 bytes, 1.3x=40 bytes)

jae FindEMUAddr_6



FindEMUAddr_3:

cmp isdll, 1

je FindEMUAddr_4

mov tmp1, imgbase

add tmp1, 0D00

mov EmuAddr, tmp1

jmp FindEMUAddr_6



FindEMUAddr_4:

ask "Freespace less than 120 bytes, enter freespace for Asprotect API emualtion code"

cmp $RESULT, 0

je error

mov EmuAddr, $RESULT

cmp EmuAddr, 1stsecbase

jb FindEMUAddr_5

mov tmp1, lastsecbase

add tmp1, lastsecsize

cmp tmp1, EmuAddr

jb FindEMUAddr_5

//log EmuAddr

jmp FindEMUAddr_6



FindEMUAddr_5:

msg "Can not use this address"

jmp FindEMUAddr_4



FindEMUAddr_6:

mov count, 0             //clear 

ret



FillSCPatch:

mov tmp1, dllimgbase

mov [tmp1], #6083EC60BD000D5901BB000660018B43188945A4C745A8000859018B7DA4803FE875188B4F0103CF83C1053B4B1C750B#

add tmp1, 30       //30

mov [tmp1], #8B75A8893E83C6048975A847897DA481FFA4337B027402EBD290909090909090C745A400000000C745A800085901C745#

add tmp1, 30       //60

mov [tmp1], #AC10347B02BB000660018B75A88B368B45A48B4B6CF7E18B4B3003C833C08A43268B7C83408BC1FFD78BF833C08A4327#

add tmp1, 30       //90

mov [tmp1], #8B5483408BC1FFD28945F433C08A43258B5483408BC1FFD284C00F841D000000FEC80F8478000000FEC80F84B0000000#

add tmp1, 30       //C0

mov [tmp1], #FEC80F8478010000E9130700008B4EFCC606E92BCE83E905894E018B436803F8837B74017503037B70897DF0837DF0FF#

add tmp1, 30       //F0

mov [tmp1], #75110345F4034310837B74017503034370EB0B8B45F0E8D9060000034310C646FBE88D4EFB2BC183E8058946FC8B45A0#

add tmp1, 30       //120

mov [tmp1], #89088345A004E9950600009090909090C606E98B436803F8837B74017503037B70897DF0837DF0FF75080345F4034310#

add tmp1, 30       //150

mov [tmp1], #EB0E8B43180345F02BC683E805894601E95B0600009090909090909090909090E8230000008B459CC700020000008345#

add tmp1, 30       //180

mov [tmp1], #9C048BD6E81F000000E82A000000E92D06000090909090908B55AC2BD683EA05C606E9895601C390522B53188B459C89#

add tmp1, 30       //1B0

mov [tmp1], #1083459C045AC39033C08A43288B5483408BC1FFD2837B7401750733D28A537032C2E8B905000086E0050F8000008B4D#

add tmp1, 30       //1E0

mov [tmp1], #AC6689018B43180345F4034368837B740175030343708BD0E8ABFFFFFF2BD183EA0689510283C106037B18037B68837B#

add tmp1, 30       //210

mov [tmp1], #74017503037B70C601E98BD7E887FFFFFF2BD183EA0589510183C1053E894DACC3909090909090909090909090909090#

add tmp1, 30       //240

mov [tmp1], #E853FFFFFF8B459CC700030000008345#

add tmp1, 10       //250

mov [tmp1], #9C048BD6E84FFFFFFF909090909033C08945B08945B48945B88945BC8A432B8B5483408BC1FFD2837B740175032B4370#

add tmp1, 30       //280

mov [tmp1], #8945B033C08A43298B5483408BC1FFD28BD080EA080F92C280FA01750B3E8945B0C745B40100000033C08A432C8B548340#

add tmp1, 31       //2B1

mov [tmp1], #8BC1FFD2837B740175032B43708945B833C08A432A8B5483408BC1FFD28BD080EA080F92C280FA01750B3E8945B8C745BC0100000033C08A432D8B5483408BC1# 

add tmp1, 40       //2F1

mov [tmp1], #FFD285C00F8425000000480F848E010000480F8427020000480F8440030000480F84E9030000E9C404000090909090#

add tmp1, 2F       //320

mov [tmp1], #51538B4DAC837DB4010F85B8000000837DBC017547B83900000033D23E8A55B8C0E2033E0255B086F203C2807DB00474#

add tmp1, 30       //350

mov [tmp1], #0E807DB005741166890183C102EB18668901C6410224EB0C0500400000668901C641020083C103E9CA0000003E8B55B8#

add tmp1, 30       //380

mov [tmp1], #81FA800000007307B883380000EB05B88138000033D23E8A55B086F203C2807DB004740E807DB005741466890183C102# 

add tmp1, 30       //3B0

mov [tmp1], #EB1B668901C641022483C103EB0F0500400000668901C641020083C1033E8B55B881FA800000007307881183C101EB66#

add tmp1, 30       //3E0

mov [tmp1], #891183C104EB5F837DBC017521B83905000033D23E8A55B8C0E20386F203C26689013E8B55B089510283C106EB383E8B#

add tmp1, 30       //410

mov [tmp1], #55B881FA800000007317B8833D00006689013E8B45B089410288510683C107EB15B8813D00006689013E8B45B0894102#

add tmp1, 30       //440

mov [tmp1], #89510683C10A894DACE9320300009090#

add tmp1, 50       //490

mov [tmp1], #51538B4DAC837DB4010F854103000083#

add tmp1, 10       //4A0

mov [tmp1], #7DBC017544B83B00000033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB805741166890183C102EB3966#

add tmp1, 30       //4D0

mov [tmp1], #8901C6410224EB0C0500400000668901C641020083C103EB1FB83B05000033D23E8A55B0C0E20386F203C26689013E8B#

add tmp1, 30       //500

mov [tmp1], #55B889510283C106894DACE970020000#

add tmp1, 30       //530

mov [tmp1], #51538B4DAC837DB4010F859F000000837DBC017551807DB005742AB83800000033D23E8A55B8C0E2033E0255B086F203# 

add tmp1, 30       //560

mov [tmp1], #C266890183C102807DB0047524C6012483C101EB1CB83845000033D23E8A55B8C0E20386F203C2668901C641020083C1#

add tmp1, 30       //590

mov [tmp1], #03E983000000807DB0047423807DB005742BB88038000033D23E8A55B086F203C26689018B55B888510283C103EB5AC7#

add tmp1, 30       //5C0

mov [tmp1], #01833C24008A55B8885103EB0CC701837D00008A55B888510383C104EB3B837DBC017521B83805000033D23E8A55B8C0#

add tmp1, 30       //5F0

mov [tmp1], #E20386F203C26689013E8B55B089510283C106EB1466C701803D8B55B08951028A45B888410683C107894DACE95F0100#

add tmp1, 30       //620

mov [tmp1], #009000#

add tmp1, 30       //650

mov [tmp1], #51538B4DAC837DB4010F8581010000837DBC017544B83A00000033D23E8A55B0C0E2033E0255B886F203C2807DB80474#

add tmp1, 30       //680

mov [tmp1], #0E807DB805741166890183C102EB39668901C6410224EB0C0500400000668901C641020083C103EB1FB83A05000033D2#

add tmp1, 30       //6B0

mov [tmp1], #3E8A55B0C0E20386F203C26689013E8B55B889510283C106894DACE9B0000000#

add tmp1, 50       //700

mov [tmp1], #5153837DB4010F85D4000000837DBC017524B83BC0000033D23E8A55B0C0E2033E0255B886F203C28B4DAC66890183C1#

add tmp1, 30       //730

mov [tmp1], #02894DACEB22B881F8000033D23E8A55B086F203C28B4DAC6689013E8B55B889510283C106894DACEB26000000000000#

add tmp1, 50      //780

mov [tmp1], #5B59E831FAFFFFEB37909090909090903C06740E3C07740E3C0A740E3C0B740EEB0EB00AEB0AB00BEB06B006EB02B007C3909090909090909090909090909090#

add tmp1, 40      //7C0

mov [tmp1], #FF45A48345A8048B45A88B0083F8000F8590F8FFFF83C460619090909090909090909090BFD7397A01B9FFFFFFFFF2AF81FF4F3A7A0177E88B47F8C390909090#



//chk version

FillSCP1:

find dllimgbase, #8B5482408BC6FFD22C#

mov tmp1, $RESULT

cmp tmp1, 0

je FillSCP2

add tmp1, 9

mov tmp2, [tmp1], 1

cmp tmp2, 2

je FillSCP3

cmp tmp2, 1

jne patcherr

mov tmp1, dllimgbase

add tmp1, AC          //AC

mov [tmp1], #9001#

add tmp1, 8           //B4

mov [tmp1], #15#

add tmp1, 8           //BC

mov [tmp1], #70#

add tmp1, 8           //C4

mov [tmp1], #A800#

add tmp1, 233         //2F7

mov [tmp1], #0504#

add tmp1, 7           //2FE

mov [tmp1], #1E00#

add tmp1, 7           //305

mov [tmp1], #8701#

add tmp1, 7           //30C

mov [tmp1], #2002#

add tmp1, 7           //313

mov [tmp1], #3903#

jmp FillSCP3



//resolve vm code in aspr dll

FillSCP2:

//alloc 10000

//mov VMcodeloc, $RESULT

//log VMcodeloc

//lm VMcodeloc, 4000, "d:\Asprvm8s.bin"



FillSCP3:

ret

